Microsoft Corp, aiming to shore up cybersecurity after a series of damning failures, has hired new executives from places like the US government and is holding weekly meetings with its most senior executives to advance a companywide initiative to make its software more resilient.
Timothy Langan, a 26-year FBI veteran, has been hired as deputy chief information security officer for government, while Shawn Bowen, a past CISO for the United States Marine Corps Intelligence, will take a deputy CISO role for gaming. Microsoft has also given such longtime executives as Azure chief technology officer Mark Russinovich and cybersecurity Vice President John Lambert new deputy CISO duties, part of a group of 13 executives with that title.
The software maker said it now has the equivalent of 34,000 full-time engineers working on security.
The moves are part of the company’s effort to assure customers, including the US government, that it’s making progress on its Secure Future Initiative, the biggest overhaul to its cybersecurity posture in more than two decades after a series of damaging hacks and a government report that described the company’s security culture as in need of urgent reforms.
Microsoft unveiled the initiative in November and named a new chief information security officer in December. In May, chief executive officer Satya Nadella ordered the company’s engineers to prioritise security above all else, including new product development. The company is also now grappling with how to adjust the way security partners release products that involve its Windows software after a flawed update from CrowdStrike Holdings Inc. triggered a global IT meltdown.
The key challenge for Microsoft is finding a balance between cybersecurity and competitive pressure to release updates quickly and create new technologies, especially in artificial intelligence. “Customers are yelling at you every day that they want a new feature,” said Microsoft security chief Charlie Bell in an interview. “But they’re not yelling at you every day about the threat of a bad actor.”
The conflict between the two imperatives became plain in May, when the AI team unveiled a Windows feature that creates a record of everything users do on their PCs. Named Recall, the product alarmed security experts and had to be pulled back to make adjustments.
“What we learned from Recall was that we still have the work to do,” said Ann Johnson, a longtime security industry executive who moved from Microsoft’s business development group to one of the new deputy CISO roles earlier this year.
The answer, she said, is to provide clear guidance to teams – standardised tools and checklists – to ensure that all new features and code meet company security standards. “Then they can put out anything, and we’re not in their way,” Johnson said.
Other deputy CISO’s include Vanessa Feliberti Bautista, a three-decade Microsoft veteran, who will keep tabs on security in Microsoft’s 365 corporate products, and Geoff Belknap, former CISO at LinkedIn and Slack, who will look after Microsoft’s core infrastructure as well as acquisitions.
In another sign of Microsoft’s renewed seriousness about product safety, Nadella now devotes an hour during regular Friday leadership meetings to assessing and troubleshooting the security initiative, Bell said. Nadella specifically asked that updates focus on pain points that still need to be addressed.
“You’re going to embrace the red,” Bell said Nadella told the executives. “I don’t want a show telling me how great everything is.”
Nadella also asked his team to stop dwelling on whether complaints about Microsoft’s cybersecurity issues were fair and focus on fixes.
“Just do the work,” Bell said Nadella told Microsoft’s leaders. – Bloomberg
