Microsoft said it launched a Cybersecurity Governance Council as part of a larger restructuring of its internal security culture following a scathing report from the federal Cyber Safety Review Board.
The council will take ownership over ongoing compliance, implementing regulatory requirements and identifying the architecture required to reach its security goals. The governance changes were listed in a progress report released Monday showing how Microsoft revamped its security practices and raised accountability since launching the Secure Future Initiative in November.
As part of the effort, Microsoft has named 13 deputy CISOs that will each be responsible for specific product segments within the company, including Azure, Microsoft 365, AI and gaming.
Under the new structure, the company’s senior leadership team is reviewing progress made under SFI on a weekly basis, Microsoft said. It will, in turn, provide updates to the company board of directors every quarter.
Microsoft also detailed a host of internal changes designed to reduce risk in its cloud and production environments:
- The company finished updates to Microsoft Entra ID and Microsoft Account for public and U.S. government cloud to generate, store and automatically rotate access token signing keys.
- The company eliminated 730,000 unused apps as part of its app lifecycle management for production and productivity tenants. Microsoft also said it reduced its attack surface by eliminating 5.75 million inactive tenants.
- Microsoft is now using a centrally governed pipeline template to run about 85% of its production build pipelines for commercial cloud, an effort that will help make deployments more consistent and trustworthy.
- The company updated processes to improve time-to-mitigate across critical cloud vulnerabilities, including publishing them as CVEs in order to boost transparency.
Staff up changes
Beyond the governance and production changes, Microsoft is turning its attention to the skills of its staff. The company said it launched the Security Skilling Academy in July, which provides curated security training to all company employees.
The training program comes after a devastating breach during the summer of 2023, when a threat group linked to China stole 60,000 emails from the U.S. State Department and breached the account of U.S. Commerce Secretary Gina Raimondo.
The CSRB report called the 2023 hack entirely preventable and blamed an internal culture at Microsoft that prioritized speed-to-market over security and required urgent changes.
A separate attack disclosed in January by state-linked Midnight Blizzard used a password-spray attack to breach emails of top company executives. The threat group later used stolen credentials to target federal agencies.
In early May, Microsoft announced plans to restructure many of its internal governance practices and make other changes recommended by the CSRB report. Among those changes, Microsoft also said it would partially tie compensation to security.
“Microsoft’s Secure Future Initiative is a necessary initiative by a company that is responsible for the majority of the IT industry’s zero days,” Tom Gann, chief public policy officer at Trellix, said via email. “The focus on secure by design, secure by default and secure by operations makes sense as Microsoft works to finally build a corporate commitment to a culture of security.”
