Microsoft’s Nadella Tells Staff to Make Cybersecurity Top Priority
(Bloomberg) — Facing harsh criticism for failing to contain several major cyberattacks, Microsoft Corp. Chief Executive Officer Satya Nadella sent a blunt message to his staff Friday urging them to make cybersecurity a top priority.“If you’re faced with the tradeoff between security and another priority, your answer is clear: Do security,” Nadella wrote in a companywide memo. “In some cases, this will mean prioritizing security above other things we do, such as releasing new features or providing ongoing support for legacy systems.”Nadella’s memo came as Microsoft announced a series of new anti-hacking initiatives that include basing a portion of senior leaders’ compensation on meeting cybersecurity milestones and adding cyber chiefs to its product groups.Microsoft has faced increasing scrutiny for its role in a number of high-profile hacks, and a government panel last month described the company’s security culture as inadequate and in need of urgent reforms. Microsoft in November unveiled the Secure Future Initiative, its most significant security plan since co-founder Bill Gates halted Windows development in 2002 and ordered engineers to prioritize product safety over new features.But some rivals, government officials and customers have questioned whether the recent overhaul went far enough — and have called for Nadella to issue a memorandum that echoed Gates’ missive.
Most Read from Bloomberg
Read More: Microsoft Hack Woes Conjures Ghost of Gates Memo: Cyber Bulletin
“We must and will do more,” Microsoft security chief Charlie Bell wrote in a blog Friday. “We are making security our top priority at Microsoft, above all else — over all other features.” As part of that, the company is expanding the scope of the Secure Future Initiative, he said, integrating recommendations from the government panel’s report as well as lessons gleaned from a recent breach tied to Russian state-sponsored hackers.
The company’s approach, Bell said, will be guided by three principles: security comes first when designing any product or service; security protections are enabled and enforced by default, requiring no extra effort and are not optional; and security controls and monitoring will be continuously improved to meet current and future threats.“Culture can only be reinforced through our daily behaviors,” Bell said. The deputy chief information security officers will report to Igor Tsyganskiy, who became global chief information security officer in December, one month after Microsoft announced its security overhaul.
Ann Johnson, a Microsoft security executive since 2015, has been named deputy CISO for customer outreach and regulated industries and also will report to Tsyganskiy. Johnson’s role will focus on “customer engagement and communication about Microsoft’s own security,” the Redmond, Washington-based company said in an email.
Read More: Microsoft, Beset by Hacks, Grapples With Problem Years in the Making
Early this year, a Russian state-sponsored group was blamed for combing through the email accounts of top Microsoft executives — prompting the company to reassign thousands of engineers to help mitigate the intrusion and accelerate security updates. In May 2023, a hacking gang linked to the Chinese government was accused of stealing one of Microsoft’s access tools and using it to break into the email accounts of US Commerce Secretary Gina Raimondo, US Ambassador to China Nicholas Burns and hundreds more.
On Friday, a German official said Russia-backed hackers exploited a previously unknown flaw in Microsoft Outlook to breach government departments, companies and officials in Chancellor Olaf Scholz’s Social Democratic Party.
Last month, the US Cyber Safety Review Board issued a withering report documenting the company’s inability to stop the China-linked hack and calling on Microsoft to institute urgent reforms. US Senator Ron Wyden introduced draft legislation on April 8 that would require the government to set mandatory security standards for collaboration software, citing Microsoft’s “shambolic cybersecurity.”
The latest set of changes are meant to address the issue of how to give each product group a focus on security as they move to add new features and box out competitors in fields like artificial intelligence. Nadella said last week on a call with investors that the company is now “putting security above all else.”
(Updates with quote from Satya Nadella memo in third paragraph.)
Most Read from Bloomberg Businessweek
©2024 Bloomberg L.P.