The big news is that Microsoft released a progress report on its investments in security changes. Microsoft has prioritized security across its organization, launching the Secure Future Initiative (SFI) to address past security failures. With 34,000 engineers focused on cybersecurity, the company has implemented significant changes, including updating security systems, reducing access token lifespans, and enhancing transparency by publishing CVEs. New governance structures, including a Cybersecurity Governance Council and ongoing employee training, aim to foster a culture of security. Despite progress, Microsoft acknowledges the ongoing challenge of rebuilding trust in its security practices.
Microsoft has also eliminated 730,000 unused applications and 5.75 million inactive tenants. Key measures include deploying 15,000 locked-down devices, implementing video-based identity verification for 95% of production staff, and updating access token processes. Microsoft aims to reduce its attack surface and improve identity and authentication mechanisms, with accountability measures for executives tied to security goals.
I spotted some quick data points that are related. A recent IDC survey commissioned by Zerto reveals that backup failures account for 32% of global data loss incidents. 48% of those who paid ransoms had valid backups, but only 20% fully recovered their data.
HYCU’s 2024 SaaS Resilience Report reveals that while SaaS adoption is high, many organizations face security gaps due to shadow IT and reliance on vendors for backup. Only 43% of businesses have recovery plans for SaaS data. A lack of skilled IT talent further exacerbates these issues, and only 19% of surveyed businesses work with managed service providers on continuity strategies.
Why do we care?
Microsoft’s approach to rebuilding its security posture clearly signals where the industry is headed: towards tighter security controls, greater transparency, and an emphasis on governance and accountability. Layer in government controls, particularly with Microsoft’s reputation taking a beating with the US government and the rollout of CMMC 2.0, and we see the trend.
Tactically, the guidance isn’t new, just reinforced. Take a page from Microsoft’s playbook by conducting comprehensive audits of client environments to identify and eliminate unused resources that could become security liabilities and reduce attack surface. offer tailored security assessments and recovery planning for SaaS platforms, addressing the specific challenges posed by shadow IT and vendor-reliant backup strategies. Bridge the talent gap by providing cybersecurity training and managed security services,
Strategically, a less is more strategy works. Do less, and do it better.
