Article Details

So how's Microsoft's Secure Future Initiative going?. 34,000 engineers pledged to the cause, but no word on exec pay. Microsoft took a victory lap today, touting the 34,000 full-time engineers it has dedicated to its Secure Future Initiative (SFI) since it launched almost a year ago and making public its first progress report on efforts to improve security in its products and services. As Register readers likely remember, SFI was rolled out in November 2023 following widespread criticism of Microsoft's security failings – the most recent (at the time) being Chinese spies compromising tens of thousands of Microsoft-hosted email accounts belonging to government officials. That was before it came to light that Kremlin spies broke into Microsoft's network and stole source code via an account that didn't have multi-factor authentication (MFA) enabled. In May, Microsoft doubled down on SFI after the Cyber Safety Review Board report lashed Redmond for a "cascade" of "avoidable errors" that made the Chinese attack possible, and Congress summoned Microsoft president Brad Smith to testify about the blunders. At the time, CEO Satya Nadella and Microsoft Security EVP Charlie Bell made public pledges to "prioritize security above all else." This included linking cybersecurity performance to senior execs' compensation plans, and including security as a "core priority" in all employees' performance reviews. In today's report, Microsoft confirmed that both of these things have happened. Unfortunately, we still don't have any specifics about which execs got raises – or were dinged – for the company's infosec efforts and progress. We're not even sure how this will be measured and then end up in senior leaders' paychecks. The Register asked Microsoft for more details about this part of the plan but Microsoft declined to comment further.  While we don't expect to see employees' reviews posted for all to see, it's also unclear how to build transparency and accountability around this commitment. "Establishing Security as a Core Priority in employee Connects accelerates Microsoft's overall SFI progress by encouraging all employees to keep cybersecurity as a guiding principle and contribute in aligned ways through their own teams," a spokesperson told The Register. Redmond's report did note that to support this effort, it launched the Microsoft Security Academy in July. This is a "personalized learning experience of security-specific, curated trainings for all worldwide employees," we're told. The six SFI engineering "pillars," however, are slightly easier to measure. Here's how Redmond says it's doing in those areas: There's also a "Governance" piece under SFI. As part of this, Redmond set up a new Cybersecurity Governance Council and appointed 13 deputy Chief Information Security Officers (deputy CISOs) responsible for spearheading SFI company-wide. They also update the board of directors quarterly about progress toward these goals. These 13 deputy CISOs are: Bell today touted Microsoft's commitment to achieving its SFI objectives, and said "the work we've done so far is only the beginning." "We know that cyberthreats will continue to evolve, and we must evolve with them," he continued. We couldn't agree more. Because words and security initiatives are nice, but the real test will be to see how Microsoft handles the next time that Russia or China or someone else tries to break into customers' email inboxes or Redmond's internal environment. By nature of its size and scope, Microsoft has a huge target on its back for adversarial nations and financially motivated cybercriminals alike. If Microsoft can't protect customers from these threats, which, as Bell rightfully notes, are continually evolving, then all of these words are useless. Let's see the actions to back them up.