Microsoft restructures security governance, aligning deputy CISOs and engineering teams

Charlie Bell, Microsoft

Redmond adopt ‘six pillars’ for better detect threats


Charlie Bell, Microsoft

Microsoft on Friday unveiled plans to expand a comprehensive security makeover by accelerating its Secure Future Initiative and making changes to governance and how it compensates key executives. 

Microsoft is restructuring part of its upper management to elevate cybersecurity governance. Engineering and a group of deputy CISOs will partner to oversee SFI, manage risks and report to senior leadership, Charlie Bell, EVP, Microsoft Security, said in a blog post. The company will partially base compensation on how much progress is made towards certain security milestones.

Microsoft said it will review SFI progress weekly with the senior leadership team and discuss quarterly with its board of directors.



The company is also rolling out a series of changes by creating six security pillars designed to better detect threats, strengthen authentication and better secure cloud environments: 

  • Protect identities and secrets
  • Protect tenants and isolate production systems
  • Protect networks
  • Protect engineering systems
  • Monitor and detect threats
  • Accelerate response and remediation

Microsoft has come under withering criticism by security industry executives and federal officials over its security culture leading up to the recent state-linked hacks. 

Among the key changes, Ann Johnson, a long time corporate VP at the company, is adding the title of deputy CISO, customer outreach and regulated industries, according to a Microsoft spokesperson. Johnson will be tasked with scaling customer engagement and communications about Microsoft’s own security. Bloomberg first reported the changes regarding security chiefs. 

Microsoft is also bringing nation-state actor and threat hunting under CISO Igor Tsyganskiy’s purview. 

The renewed scrutiny on Microsoft followed findings from a Cyber Safety Review Board report in early April where the company was heavily criticized for its response to the summer 2023 hack of Microsoft Exchange Online. 

The board said the attack – which led to the theft of 60,000 US State Department emails and the hack of Commerce Secretary Gina Raimondo – was entirely avoidable and blasted Microsoft for creating a culture that emphasizes product development and features over customer security.

A separate attack by Russia-linked threat group Midnight Blizzard forced the Cybersecurity and Infrastructure Security Agency to issue mitigation guidance to key federal agencies after credentials and source code were stolen by the hackers.

Jess Burn, principal analyst at Forrester, said the Microsoft announcements were necessary steps and compared them to recent changes at other companies which have appointed business information security officers.  

“They must secure what they sell,” Burn said via e-mail.  

Jake Williams, faculty member at IANS Research, said goals outlined by Microsoft are ambitious and represent somewhat of a transformation in the corporate culture at Microsoft.

“Most organisations have neither the will nor the technical ability to achieve these goals, but any organization that does will be in a prime position to repel most intrusions,” Williams said via e-mail. “Microsoft certainly has the technical ability to implement these, but that’s always been the case. It appears they now have the political will to do so as well.”

News Wires

Read More: cyber security Microsoft security

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top