While Microsoft appears to be aggressively beefing up its cybersecurity efforts after a series of embarrassing incidents, the company's list of proof points meant to emphasize that “security is our top priority” raises some pretty big questions, starting with this one: What Is Microsoft's goal? Top priority before security?
I'll get to these other big questions in a moment, but first let me make some guesses about what the previous “highest priority” might be:
profit? openeye? Activision deal closing? Footnotes? Will it figure out how to turn its plans to become a massive user of nuclear energy into its “green” form? (BTW, I'm a big fan of the Three Mile Island Plan!) Want to stay on top of your revitalized AWS?
I guess what bothers me is that Microsoft seems to want to be praised, appreciated, and admired for realizing – here in 2024 – that security cannot be a second thought and certainly should never be an afterthought. That's why I'm confused about Microsoft's top priority before CEO Satya Nadella finally gets fed up with his company's many security shortcomings and public embarrassment and decides that from now on, security is now the big thing.
I think the sheer fact that Microsoft is finally acknowledging the priority of security in today's digital world is a good thing. But to put it bluntly, what the hell took them so long to realize that??
Below is an excerpt of the big security updates released by Microsoft this week. I'm not sure what you'll make of that, but to me it all seems pretty clear — it all sounds like the kind of things everyone just assumed Microsoft was doing over the past five years as it became the world's largest enterprise. Cloud provider, cloud revenues in calendar 2024 are likely to approach $150 billion. The excerpt is from Microsoft Executive Vice President and Head of Security Business Charlie Bell in a blog post earlier this week:
“At Microsoft, we recognize our unique responsibility to protect the future of our customers and our community. As a result, everyone at Microsoft plays a pivotal role in ‘Putting Security Above All’. We have made significant progress in fostering a security-first culture.
Well – it looks nice and warm and all that. But the key point comes in the third and final sentence when Bell specifically admits that Microsoft — again, the world's largest cloud vendor and one of the world's leading suppliers of AI technology, enterprise applications and much more — does not have a security system. Culture First, instead simply makes “progress in promoting a security-first culture.”
Ask your Cloud Wars AI Agent about this analysis
To the CEOs and IT managers evaluating cloud and AI providers: Does this revelation from security leader Bill give you complete confidence about handing over the future of your organization — and perhaps your career, too — to Microsoft?
Okay, I see I'm starting to go through my big list of questions about this whole Microsoft conversion, so let's get to those.
Question: As stated above, what took Nadella and his team so long to realize that security wasn't just an upgrade or add-on, but should instead be at the core of everything Microsoft does? Question: How can Nadella have such a complete blind spot on security, which has dominated high-level thinking among the top 10 companies in Cloud Wars for the past several years? Peter Drucker famously said, “Culture eats strategy for breakfast.” In a damning report on Microsoft's security shortcomings released earlier this year, a team within the US Department of Homeland Security called the Cyber Safety Review Board criticized Microsoft's culture for failing to prioritize security, and failing to hold anyone accountable for security problems and disasters. Failure to link financial incentives for executives to security, and failure to adequately fund security initiatives despite Microsoft being one of the richest companies the world has ever known. (For fiscal year 2024, Microsoft's net income was $88.1 billion.) Question: Aside from the trivial cultural changes that Bill mentioned in his blog post, how is Microsoft trying to reform its culture to ensure that security actually becomes the top priority rather than security? In messages? Late last year, Microsoft hired a new CISO from outside the company – and good luck with that decision! Igor Tsygansky comes from one of the world's largest asset management firms (Bridgewater Associates) and brings a much-needed client perspective to this vital position. Brett Arsenault, the former chief information security officer, has been among the company's best insiders his entire life: During his 35-year career at Microsoft, he was chief information security officer for 23 consecutive years until Nadella realized late last year that a leader was needed. New with a fresh vision to lead the company. Necessary changes. Question: How could Nadella – one of the world's top CEOs – not realize much earlier that a new chief information security officer was necessary as part of a much-needed security overhaul? New CISO Tsyganskiy reports to Security Leader Bell, who for the past three years has served as Executive Vice President of Security, Compliance, Identity and Administration. And Arsenault, who may be a great guy but who nonetheless headed with Bill an organization that was so out of touch with current reality that Microsoft is overhauling its entire security operation, now serves as the company's vice president and senior cybersecurity advisor. Questions: Since joining Microsoft from Amazon in September 2021, has Bill been loudly and relentlessly urging Nadella to overhaul Microsoft's entire approach to security? If not, why do Nadella and Microsoft's customers think he is the right person to lead the necessary changes? Conversely, if Bill was beating the drum for sweeping changes in security, why didn't Nadella listen? Why did Nadella wait two years? What conflicting priorities have blinded Nadella and other high-level leaders from viewing security as anything other than the top priority?
Final thoughts
In addition to the blog post from Bell outlining these first rounds of changes, Microsoft also earlier this week published a September 2024 progress report on its efforts. Much of this 25-page document is devoted to discussing the company's six “engineering pillars” on which its development and new security behavior depend. Take a look at these six pillars:
Protect identities and secrets Protect tenants and isolate production systems Protect networks Protect engineering systems Monitor and detect threats Accelerate response and remediation
In Bell's blog post, he says that all six of these “core pillars” represent a “critical area of focus for cybersecurity. These pillars guide our continued work to elevate security across Microsoft and help us meet the evolving demands of the security landscape.”
Do these pillars—the descriptions of which take up nearly 20 of the progress report's 25 pages—fill you with optimism about Microsoft's new security vision, security commitment, and security culture?
Me too.
AI Copilot Summit NA is the first AI event to identify opportunities, impact and outcomes possible with Microsoft Copilot for mid-market companies and enterprises. Register now to attend the AI Copilot Summit in San Diego, CA March 17-19, 2025.
