"After a year, it looks like Microsoft has made some smart and substantive initial progress in elevating security across the whole organization: investment in security-focused head count, inclusion of security into performance reports across the entire organization, establishment of internal security leadership teams who -- importantly -- report directly to the Microsoft Board of Directors, and the establishment of strong governance structures across the organization and burning down a bunch of the 'big rocks' against their secure engineering pillars," he said in an email. In Microsoft's Secure Future Initiative September 2024 progress report, the company covered multiple areas in which it has bolstered its security efforts in the last several months. The first progress report for Microsoft's Secure Future Initiative evoked cautious optimism from the greater security community, but experts said it's clear there's more work to be done. He said that like its predecessor, SFI's goal is to reorient Microsoft "from a tactical and reactive approach to security toward one that addresses it from the core." This latest report, Ellis said, shows that some progress has been made. Infosec experts say the Secure Future Initiative progress report shows Microsoft has made important changes to its policies, practices and accountability structures. 23 published the first progress report of its Secure Future Initiative, a commitment from the tech giant to bolster its defenses and prioritize principles such as security by design and security by default. It remains to be seen whether these improvements alone would prevent a repeat of the Storm-0558 attack or how much technical debt Microsoft is burdened by -- this is only a progress report to an ongoing commitment, after all -- but responses to the progress report have been broadly positive despite remaining concerns. On the company culture and governance end, Microsoft said it dedicated "the equivalent of 34,000 full-time engineers" to SFI, new employee training, and a prioritization of security that measures security performance against both employee performance reviews and senior leadership team compensation. "It required the Cyber Safety Review Board to do a detailed report to get any transparency on the breach of Microsoft by the Chinese last year, and Microsoft has been quietly informing customers that their information was stolen by the Russians throughout 2024. Casey Ellis, Bugcrowd founder and chief strategy officer, said SFI is essentially the 2.0 version of the Trustworthy Computing memo, a historically significant email Bill Gates sent to Microsoft employees in 2002 to prioritize product security. "Microsoft's first Secure Future Initiative progress report looks promising," she said. In the company's SFI expansion, Microsoft Security Executive Vice President Charlie Bell said it would prioritize "security above all else" and laid out six pillars of this mission in a blog post. TechTarget Editorial asked Microsoft about what types of authentication methods were included in the "phishing-resistant credentials" referenced in the progress report.
This Cyber News was published on www.techtarget.com. Publication date: Thu, 03 Oct 2024 19:43:05 +0000