"Microsoft Overhauls Cybersecurity Strategy After Scathing CSRB Report"

In the wake of a scathing US government report that condemned Microsoft's weak cybersecurity practices and lax corporate culture, security chief Charlie Bell has announced that he is pledging significant reforms and a strategic shift to prioritize security above all other product features. Bell announced plans to add Deputy CISOs into each product team and link a portion of senior leaders' paychecks to progress on security milestones and goals. In addition, engineering teams across Microsoft Azure, Windows, Microsoft 365, and Security have begun what Bell refers to as "engineering waves" to prioritize security enhancements and remediation within an expanded Secure Future Initiative (SFI). The initiative, first announced in November 2023 before the Cyber Safety Review Board (CSRB) investigation, promises faster cloud patches, better management of identity signing keys, and products with a higher default security bar. Bell said Microsoft will implement state-of-the-art standards for identity and secrets management, including hardware-protected key rotations and phishing-resistant multi-factor authentication for all user accounts. Bell noted that Microsoft is committing to "beefing up the protection of its network and tenant environments, removing all entity lateral movement pivots between tenants, environments, and clouds; and ensuring only secure, managed, healthy devices are granted access to Microsoft tenants." Bell noted that Microsoft plans to build and maintain an inventory of software assets used to deploy and operate Microsoft products and services and ensure access to source code and engineering systems infrastructure is secured through Zero Trust and least-privilege access policies.

SecurityWeek reports: "Microsoft Overhauls Cybersecurity Strategy After Scathing CSRB Report"