Microsoft Delivers an SFI Progress Report

Microsoft today cited the progress it’s made with its Secure Future Initiative (SFI), allegedly the “largest cybersecurity engineering effort in history.” I’m going to call BS on that claim, since it didn’t halt development of its core software platforms, as it was forced to do with the Trustworthy Computing initiative 22 years ago. But the marketing behind SFI, coming as it does during Microsoft’s mad rush to spread AI everywhere, is of course noteworthy. And the firm seems to be sincere about doing better.

“At Microsoft, we recognize our unique responsibility in safeguarding the future for our customers and community,” Microsoft executive vice president Charlie Bell writes. “As a result, every individual at Microsoft plays a pivotal role to “prioritize security above all else.” We’ve made significant progress in fostering a security-first culture.”

Among that progress is the creation of a new Cybersecurity Governance Council and the appointment of Deputy Chief Information Security Officers (Deputy CISOs) for key security functions and all engineering divisions; these deputy CISOs staff the Cybersecurity Governance Council, are responsible for the company’s overall cyber risk, defense, and compliance, and report directly to CISO Igor Tsyganskiy.

Microsoft has also made security a core part of each employee’s annual performance review and launched a Security Skilling Academy to train employees to prioritize security in their daily work. The Microsoft senior leadership team now reviews SFI progress every week, and updates the company’s Board of Directors each quarter. And the SLT now has security performance directly linked to their compensation as well.

It’s also issued a 25-page report for those who wish to understand this progress in greater detail.

As you may recall, Microsoft announced SFI last November in the wake of a string of cyberattacks, claiming for the umpteenth time that it was getting serious about security again. It then re-announced SFI this past May, at which point it expanded its focus to six key security pillars, again stressing that it was now “serious” about security. And then the Crowdstrike outage happened this past summer, with everyone blaming Microsoft for the issues, and Microsoft pointing the finger at its self-inflected antitrust problems. It then held a security summit earlier this month with Crowdstrike and other security players, but little came of it.

Now, Microsoft is “reaffirming” its security commitment.

“The work we’ve done so far is only the beginning,” Mr. Bell concludes. “We know that cyberthreats will continue to evolve, and we must evolve with them. By fostering this culture of continuous learning and improvement, we are building a future where security is not just a feature, but a foundation.”