I’ve previously reported how Microsoft is under public pressure about its security—well, they’ve responded.
Microsoft CEO Satya Nadella emphasizes prioritizing security above all else in a memo to employees. The company is overhauling its security processes after a series of high-profile attacks.
The goals include secure design, default security, and secure operations, focusing on protecting identities, isolating production systems, securing networks, protecting engineering systems, monitoring and detecting threats, and accelerating response and remediation.
Nadella urges employees not to make security tradeoffs and highlights the need for technical and operational rigor in improving security. Microsoft’s Secure Future Initiative (SFI) will focus on principles such as Secure by Design, Secure by Default, and Secure Operations.
- Secure by Design: Security comes first when designing any product or service.
- Secure by Default: Security protections are enabled and enforced by default, require no extra effort, and are not optional.
- Secure Operations: Security controls and monitoring will continuously be improved to meet current and future threats.
The company will implement specific actions recommended by the Cyber Safety Review Board (CSRB) and hold the senior leadership team accountable for progress in meeting security plans and milestones.
Why do we care?
It’s a plan, that’s for sure. One does wonder why this wasn’t the plan before, and I will note that Bill Gate’s Trustworthy Computing memo 22 years ago was both impactful to the messaging… and surprisingly similar in theme. The phrase “secure by default” appears right in that 22-year-old memo.
This is the right message to deliver to customers. The recurrence of such initiatives might indicate previous measures were either insufficiently implemented or failed to keep pace with threats. This raises concerns about whether current strategies will effectively address these issues or if they, too, might fall short over time. The tech community and its customers should look for tangible changes in product design and operations that reflect these security priorities, rather than taking reassurances at face value.
