Microsoft Corp. executives today outlined a broad internal initiative designed to enhance the company’s cybersecurity posture.

The tech giant is launching the effort following a probe into its breach prevention practices by the U.S. Cyber Safety Review Board, or CSRB. The assessment was prompted by a high-profile breach that saw China-linked hackers breach Microsoft’s Exchange Online email service. The CSRB found the company had a “corporate culture that deprioritized enterprise security” and was “at odds with the company’s centrality in the technology ecosystem.

In a 34-page report, the board recommended that Microsoft develop a plan to improve its breach prevention procedures and make the plan publicly available. The cybersecurity improvement initiative the company detailed today addresses that recommendation. According to Microsoft, the effort also builds on lessons gleaned from a recent breach in which Russian hackers compromised several of its executives’ inboxes.

In an internal memo detailing the company’s new cybersecurity push, Chief Executive Officer Satya Nadella wrote that “if you’re faced with the tradeoff between security and another priority, your answer is clear: Do security. In some cases, this will mean prioritizing security above other things we do, such as releasing new features or providing ongoing support for legacy systems.”

Charlie Bell, the executive vice president of Microsoft Security, detailed the plan’s other elements in a blog post today. He explained that the initiative revolves around three “security principles” and six “prioritized security pillars.” Going forward, Microsoft executives’ compensation will be partly calculated based on how well the company meets the goals of the plan.

The first three security pillars outlined by Bell form the effort’s high-level framework. The first pillar states that “security comes first when designing any product or service,” the executive wrote in the blog post. The other two specify that Microsoft’s cybersecurity measures will be enabled by default, won’t require extra effort to use and will be continuously improved over time.

The cybersecurity plan’s six prioritized security pillars, in turn, outline a more detailed set of steps Microsoft will take to reduce the risk of breaches.

Two of the pillars focus on improving the security of sensitive data assets. The first covers secrets, a term that covers files such as encryption keys, as well as the data and systems Microsoft leverages to manage users’ access to applications. The second pillar in the set outlines a series of steps Microsoft will take to prevent hackers from accessing its products’ source code.

The plan’s next two pillars cover the security of the company’s networks, production environments and customers’ deployments of its products. Microsoft’s efforts in this area will place a particular emphasis on isolating different systems from one another to ensure hackers can’t spread malware between them.

The final two pillar of the plan focus on streamlining the way the company detects and responds to cybersecurity risks. As part of the push, Microsoft will retain security logs from its systems for at least two years to support breach investigations. In conjunction, the company plans to increase the speed at which it mitigates vulnerabilities discovered by employees and third-party researchers. 

“The Secure Future Initiative empowers all of Microsoft to implement the needed changes to deliver security first,” Bell detailed. “We will take our learnings from security incidents, feed them back into our security standards, and operationalize these learnings as paved paths that can enable secure design and operations at scale.”

Photo: Pixabay