Microsoft's president vows to implement major shifts in the company culture, focusing on enhancing security measures.

Microsoft's president vows to implement major shifts in the company culture, focusing on enhancing security measures.

Microsoft has unveiled a comprehensive plan for cultural change, focusing on fundamental security-focused reforms across the company. This shift comes in response to recent security failures, as recommended by the Cyber Safety Review Board (CSRB). The CSRB report highlighted an "inadequate" security culture at Microsoft, given its critical role in the tech ecosystem.

The plan involves a public commitment to security reforms, with leadership accountability and scheduled milestones. Microsoft's CEO and board are expected to share this plan, taking responsibility for security improvements broadly across all of Microsoft's products and services.

The security failures, as reported, include allowing underqualified subcontractors to oversee Chinese engineers on sensitive U.S. military cloud projects and a critical flaw in Microsoft SharePoint exploited by hackers, leading to breaches in U.S. agencies and universities.

Microsoft President Brad Smith testified before the House Committee on Homeland Security, acknowledging full responsibility for these security lapses. He also expressed a desire for a culture at Microsoft that encourages employees to look for problems, find problems, report problems, help fix problems, and learn from the problems.

To address the issue of accountability at the leadership level, changes in internal governance and operational security procedures are implied. However, the role of executive bonuses in this plan remains somewhat unclear. While the CSRB report does not explicitly mention the use of annual bonuses for senior executives linked to improving cybersecurity, Microsoft has approved a plan to tie a portion of these bonuses to cybersecurity performance.

Starting from July 1, one-third of a senior leader's individual performance for their annual bonus at Microsoft will be based on their cybersecurity-related performance. This move is part of Microsoft's efforts to make security an integral part of its operations.

Security will also become part of the biannual review for all employees at Microsoft. The company is working on the largest engineering project focused on security in the history of digital technology, with more than 34,000 full-time engineers dedicated to this endeavour.

Critics like Ryan Kalember, chief strategy officer at Proofpoint, have criticised Microsoft for prioritising product interconnectedness over building products that are secure by design, which compounds security risks. Kalember also stated that Microsoft leaves product security in the rear-view mirror in comparison to rivals like Apple, Amazon, or Google.

However, Brad Smith has emphasised Microsoft's commitment to finding and addressing vulnerabilities. When asked about similar vulnerabilities that could impact product security, Smith said he was not aware of any, but "everything we're doing is focused on finding every vulnerability that we can find."

The culture change at Microsoft is aimed at encouraging workers to speak up about security concerns. This shift follows the U.S. Cyber Safety Review Board's report analyzing Microsoft's security culture following the summer 2023 hack of Microsoft Exchange Online by a state-linked threat group.

A notable example of the need for such a culture shift came to light in a ProPublica report about a whistleblower who alleged Microsoft ignored years of warnings from one of its own engineers about a vulnerability that led to the Sunburst attacks. The whistleblower, Andrew Harris, left Microsoft in 2020 and later joined rival CrowdStrike.

During the hearing, Smith said he had not had a chance to review the ProPublica report as he had been at the White House prior to the hearing. Smith's testimony before the House Committee on Homeland Security marked a significant step in Microsoft's commitment to transparency and accountability in the face of security challenges.

1. Microsoft's new plan for cultural change emphasizes security reforms, with one-third of a senior leader's annual bonus now tied to their cybersecurity-related performance, aiming to make security an integral part of the company's operations.
2. Critics like Ryan Kalember have questioned Microsoft's approach to security, suggesting that the company prioritizes product interconnectedness over building secure-by-design products, which potentially compounds security risks.
3. In response to the U.S. Cyber Safety Review Board's report and the summer 2023 hack of Microsoft Exchange Online, Microsoft is encouraging workers to speak up about security concerns, aiming to foster a culture that values transparency and accountability in the face of security challenges.

Read also: