Search This Blog

Powered by Blogger.

Blog Archive

Labels

Microsoft Revamps Security Leadership, Empowering Deputy CISOs

Microsoft empowers Deputy CISOs, and ties executive compensation to security goals amidst recent breaches and scrutiny.

 


There have been a series of major security breaches recently, and Microsoft is making changes to its security practices, organizational structure, and executive compensation to address the issue, as government leaders and big customers increasingly pressure the company to address the issue.

A portion of the company's senior executive compensation will be tied to progress towards security goals, according to the company. Each product group will be headed by a deputy chief information security officer (CISO), and teams from the company's major platforms and product teams will be brought together in "engineering waves" to revamp security procedures. 

A new team of deputy chief information security officers has been set up by Microsoft in response to blistering criticism from federal officials in April about the lack of security governance. They will be embedded within engineering as part of a sweeping new security governance framework that has been implemented by Microsoft. 

It has been announced that Redmond will tie "part of the compensation of its Senior Leadership Team to our progress toward meeting the security milestones and plans that we set forth for the company." Microsoft security chief Charlie Bell announced on May 2. A spokesperson for Microsoft's Executive Vice President of Security, Charlie Bell, has mentioned on LinkedIn that Microsoft's Secure Future Initiative is a part of the decision to restructure the company's security leadership. 

It was introduced by Microsoft in November to boost the security levels of its wide range of software products and is intended to enhance the security of those products.  Igor Tsyganskiy, a CISO with a long-standing role at the company, will be transitioning from his long-term role of Chief Security Adviser to the role of Chief Security Adviser in a blog post published on December 5. 

According to Bell, Igor Tsyganskiy is expected to assume the role of CISO in the New Year, he will become the company's new chief information security officer. Microsoft spokespersons said that Ann Johnson, a long-time corporate vice president at the company, will be adding the title of deputy CISO, customer outreach, and regulated industries as a result of the changes. 

Bloomberg first reported the changes regarding Microsoft's security chiefs, and Johnson will be tasked with scaling customer engagement and communicating about Microsoft's security. Johnson will be responsible for scaling customer engagement and communication about Microsoft's security. A new role for Microsoft CISO Igor Tsyganskiy will be devoted to nation-state actors and threat hunting. 

It was a result of the findings reported by the Cyber Safety Review Board in early April, in which the company received heavy criticism regarding their response to the hack of Microsoft Exchange Online in the summer of 2023, which led to renewed scrutiny of Microsoft. It was pointed out by the board that the attack -- in which 60,000 emails from the State Department were stolen and Gina Raimondo's account was hacked - was entirely preventable and criticized the company for focusing on product development and features over security for its customers. 

Cybersecurity and Infrastructure Security Agency has issued mitigation guidance to key federal agencies following a separate attack on credentials and source code stolen by the Russia-linked threat group Midnight Blizzard, which resulted in the hacker stealing credentials and source code. 

Compared to recent announcements from other organizations that have appointed business information security officers, Jess Burn, principal analyst at Forrester, said the Microsoft announcements were necessary steps.  The former Microsoft CTO previously served at Bridgewater Associates LP, an investment firm that serves institutional clients like pension funds, endowments, foundations, foreign governments, and central banks as their Chief Technology Officer. 

As a Senior Vice President of Product Management and Head of SAP SE's Advanced Technology Group, Tsyganskiy served as a Senior Vice President of Product Management at Salesforce Inc. and previously led Salesforce Inc.'s Advanced Technology Group. With the advent of technologies such as artificial intelligence (AI), which must be developed with a strong focus on cybersecurity, Microsoft is becoming more optimistic about the development of these technologies. 

There is a commitment to reducing vulnerabilities within Microsoft's product ecosystem that sits at the core of the Secure Future Initiative. To minimize the risk of specific bugs that may be exploited by cyber attackers, the company plans to increase the use of memory-safe programming languages, such as Java, C#, and Python. 

It has also been announced that Microsoft will be using CodeQL, an open-source tool developed by GitHub for automated code vulnerability scanning as well as streamlining its threat modeling procedures. Microsoft plans to double the speed at which it fixes security flaws in its cloud services by accelerating the deployment of security patches by incorporating a remediation methodology called dSDL, which is based on continuous integration and continuous delivery software.  

A report from Microsoft called for the CEO and board to be in charge of all security initiatives directly and closely. As a result of the CSRB report, it was noted that all senior leaders should be held accountable for ensuring that all necessary changes are implemented as soon as possible. It was introduced by Senator Ron Wyden of Oregon, who cited Microsoft's "shambolic cybersecurity practices" as a reason to reduce the U.S. government's reliance on Microsoft software after the report was released.

It is Bell who wrote that Microsoft has decided to incorporate the recommendations made by the CSRB as well as lessons learned from high-profile cyberattacks as part of the changes announced Friday. Microsoft announced on Friday that it would change the compensation for the company's senior leaders, the top executives who report directly to Satya Nadella. 

However, the company did not indicate how much of their compensation would be based on their security credentials. On the company's quarterly earnings call last week, Nadella hinted at these changes by saying the company would "put security before all else, before all other features and investments." He continued by adding that security will be a top priority. Friday morning, Nadella released an internal memo that elaborated on the themes presented in Bell's public blog post, delivering a directive to employees.
Share it:

CISO

Cyber Safety

Cyber Security

Cyberattacks

CyberCrime

Microsoft

Technological Updates