Microsoft is creating a new team of deputy CISOs and embedding them in engineering as part of a sweeping new security governance framework – introduced in the wake of blistering criticism by federal leaders in April.
As part of this move Redmond will tie "part of the compensation of the company’s Senior Leadership Team on our progress in meeting our security plans and milestones" Microsoft security boss Charlie Bell said on May 2.
(The Cyber Safety Review Board last month roasted a “corporate culture that deprioritized both enterprise security investments and rigorous risk management” at Microsoft, in the wake of hacks by Russian and Chinese threat groups that resulted in the compromise of federal agencies.)
Redmond’s new deputy CISOs will be “collectively responsible” for overseeing its “Secure Future Initiative” (SFI). Progress will be “reviewed weekly with [an] executive forum and quarterly with our Board of Directors” said Charlie Bell, Microsoft’s EVP for Security on May 3.
See also: Microsoft roasted over “cascade of security failures” – authentication system utterly broken
In a blog that features the term “100%” no fewer than 18 times, he promised to ensure that “100% of user accounts are protected with securely managed, phishing-resistant multifactor authentication” and, distinctly ambitiously, that Microsoft would “eliminate 100% of identity lateral movement pivots between tenants, environments, and clouds.”
In a note that will be particularly welcome to those who have bewailed a lack of cloud security transparency, Bell said Microsoft would be start publishing Common Weakness Enumeration (CWE), and Common Platform Enumeration (CPE) industry standards for released high severity Common Vulnerabilities and Exposures (CVE) affecting the cloud.
The CSRB’s report on April 2 saw Microsoft’s largest cloud rival Amazon make hay out of its security culture: Weeks after its publication, AWS CISO Chris Betz wrote pointedly that “our security culture starts at the top, and it extends through every part of our organization. Over eight years ago, we made the decision for our security team to report directly to our CEO.”
See also: Veeam CISO Gil Vega on security culture, sleeping at night, guarding POWs, tips for CISOs
“This structural design redefined how we build security into the culture of AWS and informs everyone at the company that security is our top priority by providing direct visibility to senior leadership,” he added.
Commenting on that on LinkedIn, Amazon Chief Security Officer Stephen Schmidt noted: “Most people think of information security as a technical problem. I disagree. Fundamentally, information security is a people problem. Our adversaries are (at least for now) human,” he wrote.
“ They're motivated by money, ideology, coercion, and quite often ego…
“On the defensive side, the biggest levers we can pull to secure our customers' information are not technical. While it's certainly true that secure-by-default designs have a huge part to play in being successful at the protection process, by far the most important thing we've done at Amazon is focus on our people, and how they think about security.”
See also: Dell's Chief Security Officer on physical security, frameworks, burnout and incident response
Microsoft CEO Satya Nadella meanwhile on May 3 emailed all of the company’s 200,000+ staff to say that “Going forward, we will commit the entirety of our organization to SFI, as we double down on this initiative…”
He added: “Security is a team sport, and accelerating SFI isn’t just job number one for our security teams — it’s everyone’s top priority and our customers’ greatest need. If you’re faced with the tradeoff between security and another priority, your answer is clear: Do security.
“In some cases, this will mean prioritizing security above other things we do, such as releasing new features or providing ongoing support for legacy systems.” Those Microsoft customers left with unsupported legacy systems? Well, “shared responsibility” stops being shared at SOME point.
