Microsoft president vows sweeping cultural transformations aimed at enhanced security measures
Microsoft, under the leadership of President Brad Smith, has pledged to overhaul its culture and foster an environment that encourages employees to report and address security issues. This commitment was made during Smith's testimony before the House Committee on Homeland Security.
Smith emphasized that Microsoft is focused on finding every vulnerability it can, with everything it does centred around this goal. One of the key initiatives to achieve this is the significant culture changes the company is undertaking, as promised by Smith.
In a move to incentivize cybersecurity efforts, Microsoft has approved a plan to tie annual bonuses for senior executives, in part, to their cybersecurity performance. Starting from the new fiscal year on July 1, one-third of a senior leader's individual performance for their bonus will be based on their cybersecurity-related performance.
However, the specific details of the plan to improve security culture and incentivize employee reporting, as announced by Smith, are not yet fully described in available sources.
The push for a more secure Microsoft comes amidst criticism from industry figures. Ryan Kalember, chief strategy officer at Proofpoint, accused Microsoft of prioritizing product interconnectedness over building products that are secure by design. Kalember's statement suggested that Microsoft lags behind rivals like Apple, Amazon, or Google in terms of product security.
The U.S. Cyber Safety Review Board analysed Microsoft's security culture following the summer 2023 hack of Microsoft Exchange Online by a state-linked threat group. The board's 34-page report described Microsoft's security culture as "inadequate," urging "rapid cultural change" and recommending that Microsoft’s CEO and board publicly share “a plan with specific timelines to make fundamental, security-focused reforms across the company and its full suite of products.”
Smith did not address Kalember's criticism directly during the hearing. He also stated that he had not had a chance to review the ProPublica report, which published a report about a whistleblower who alleged Microsoft ignored years of warnings from one of its own engineers about a vulnerability that led to the Sunburst attacks.
Despite these challenges, Microsoft is engaged in the largest engineering project focused on security in the history of digital technology. More than 34,000 full-time engineers are working on this project, and security will become part of the biannual review for all employees at Microsoft.
In response to a question about potential similar vulnerabilities, Smith stated that he was not aware of any. Microsoft has accepted full responsibility for its security failures, as stated by Brad Smith. The company will continue to work towards creating a culture that prioritizes security and encourages employees to report any concerns they may have.
[1] Source: U.S. Cyber Safety Review Board Report on Microsoft's Security Culture (2023) [3] Source: Microsoft News Center, "Brad Smith named President and Vice Chair of Microsoft" (2017) [4] Source: Microsoft News Center, "Brad Smith on trust, security, and responsible AI" (2019)
- Microsoft's focus on cybersecurity, as underlined by President Brad Smith, extends to promoting a culture that encourages reporting and addressing security issues, following a commitment made during his testimony before the House Committee on Homeland Security.
- In an effort to incentivize cybersecurity efforts, Microsoft has decided to partially tie the annual bonuses of senior executives to their cybersecurity performance, starting from the new fiscal year on July 1.
- The U.S. Cyber Safety Review Board's report on Microsoft's security culture highlighted a need for rapid cultural change and urged Microsoft to prioritize security across its full suite of products, following a hack of Microsoft Exchange Online by a state-linked threat group in summer 2023.
