Microsoft is pivoting to “security above all else” following a series of devastating breaches and a damning review by the US Cyber Safety Review Board.

Charlie Bell, EVP of Microsoft Security, pointed out the company’s recent Secure Future Initiative (SFI) that it rolled out last November, saying the company must do more given its role in the world’s digital ecosystem.

Microsoft plays a central role in the world’s digital ecosystem, and this comes with a critical responsibility to earn and maintain trust. We must and will do more.

We are making security our top priority at Microsoft, above all else—over all other features. We’re expanding the scope of SFI, integrating the recent recommendations from the CSRB as well as our learnings from Midnight Blizzard to ensure that our cybersecurity approach remains robust and adaptive to the evolving threat landscape.

Bell says that everything Microsoft does moving forward will be based on three key principles:

1. Secure by design: Security comes first when designing any product or service.
2. Secure by default: Security protections are enabled and enforced by default, require no extra effort, and are not optional.
3. Secure operations: Security controls and monitoring will continuously be improved to meet current and future threats.

Bell then outlines six prioritized security pillars, including protecting identities and secrets; protect tenants and isolate production systems; protect networks; protect engineering systems; monitor and detect threats; and accelerate response and remediation.

We are delivering on these goals through a new level of coordination with a new operating model that aligns leaders and teams to the six SFI pillars, in order to drive security holistically and break down traditional silos. The pillar leaders are working across engineering Executive Vice Presidents (EVPs) to drive integrated, cross-company engineering execution, doing this work in waves. These engineering waves involve teams across Microsoft Azure, Windows, Microsoft 365, and Security, with additional product teams integrating into the process weekly.

Bell emphasized the importance of existing standards, or paved paths, that “significantly improves the developer or operations experience or security, quality, or compliance.”

Notably, Microsoft is instituting new governance in an effort to hold the entire company accountable and ensure teams are putting security first:

We are also taking major steps to elevate security governance, including several organizational changes and additional oversight, controls, and reporting.

Microsoft is implementing a new security governance framework spearheaded by the Chief Information Security Officer (CISO). This framework introduces a partnership between engineering teams and newly formed Deputy CISOs, collectively responsible for overseeing SFI, managing risks, and reporting progress directly to the Senior Leadership Team. Progress will be reviewed weekly with this executive forum and quarterly with our Board of Directors.

Finally, given the importance of threat intelligence, we are bringing the full breadth of nation-state actor and threat hunting capabilities into the CISO organization.

Bell acknowledged that one of the biggest challenges is building a culture that puts security first, outlining how the company is doing this, and the importance of Microsoft earning the trust so many organizations have place in it.

Culture can only be reinforced through our daily behaviors. Security is a team sport and is best realized when organizational boundaries are overcome. The engineering EVPs, in close coordination with SFI pillar leaders, are holding broadscale weekly and monthly operational meetings that include all levels of management and senior individual contributors. These meetings work on detailed execution and continuous improvement of security in context with what we collectively deliver to customers. Through this process of bottom-to-top and end-to-end problem solving, security thinking is ingrained in our daily behaviors.

Ultimately, Microsoft runs on trust and this trust must be earned and maintained. As a global provider of software, infrastructure, and cloud services, we feel a deep responsibility to do our part to keep the world safe and secure. Our promise is to continually improve and adapt to the evolving needs of cybersecurity. This is job number one for us.

Much of Bell’s post seems a direct response to the Cyber Safety Review Board’s conclusion, in which it said:

The Board finds that this intrusion was preventable and should never have occurred. The Board also concludes that Microsoft’s security culture was inadequate and requires an overhaul, particularly in light of the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations.

Similarly, Senator Ron Wyden called out Microsoft “for its negligent cybersecurity practices.”

The company seems to realize it has played fast and loose with cybersecurity for far too long and must work hard to regain the trust it has lost. Only time will tell if Microsoft can deliver on its promise.