Why it matters: In the wake of major cyberattacks and criticism from the feds, Microsoft is going all-in on beefing up security across its products and services. The company is rolling out a massive overhaul to put security at the forefront, as outlined in an internal memo from CEO Satya Nadella.
According to an internal memo obtained by The Verge, security is now Microsoft’s “top priority” above all else. Nadella makes it crystal clear to employees that if they ever face a tradeoff between security and another objective, the answer is simple: prioritize security, no questions asked.
“If you’re faced with the tradeoff between security and another priority, your answer is clear: Do security,” Nadella states bluntly. “In some cases, this will mean prioritizing security above other things we do, such as releasing new features or providing ongoing support for legacy systems.”
That last part is especially noteworthy. Microsoft has long been known for extending software support much longer than typical. But Nadella hints the company may have to let go of some legacy baggage in order to stay ahead of evolving cyberthreats.
The security reckoning comes after the US Cyber Safety Review Board labeled Microsoft’s past security practices as “inadequate” following an investigation into major incidents like last summer’s Storm-0558 attack. The company is now implementing a “Secure Future Initiative” that Nadella says will govern “every facet” of Microsoft’s products and operations going forward.
The initiative has three core principles: “Secure by Design” (baking in security from the start), “Secure by Default” (security protections on automatically), and “Secure Operations” (continuous monitoring and improvement). Nadella says the principles will be applied across key areas like identity protection, system isolation, threat detection, and incident response.
Part of the senior leadership’s compensation will also be tied to hitting security goals and milestones under the new initiative. So they’ll have some extra financial motivation to get things right.
In the memo, Nadella stresses that the entire company – not just the security teams – is responsible for this security push. “Every task we take on – from a line of code, to a customer or partner process – is an opportunity to help bolster our own security and that of our entire ecosystem,” he writes.
The urgency behind Microsoft’s security overhaul is underscored by last year’s devastating Exchange Online hack. Believed to be the work of China-linked threat actor Storm-0558, the attackers stole an Azure signing key from a Microsoft engineer’s laptop in late 2021 following a company acquisition. This key then granted them access to the online email inboxes of over 20 organizations, impacting hundreds of high-profile victims including senior US government officials.
In January, Nadella advocated for a “cyber Geneva Convention” between the US, Russia, and China after Russia’s Cozy Bear breached Microsoft’s network, warning that unchecked nation-state cyberattacks could trigger global instability.
With cyberattacks ramping up and regulation likely on the way, it was high time for Microsoft – along with other major tech giants – to get its security house in order.