Microsoft Cybersecurity Failings Triggered Fall from #1 on Cloud Wars Top 10

Although Microsoft is by far the world’s largest cloud and AI provider, and despite the very impressive growth rates it has delivered without fail, I have bounced Microsoft from the #1 spot on the Cloud Wars Top 10 because of its disastrous cybersecurity capabilities and culture that surfaced two years ago.

That description of Microsoft’s woeful security shortcomings is not an opinion — it is a fact. And in this article, I’ll substantiate that claim with two key pieces of supporting evidence:

1. Findings from a detailed report from the federal government’s Cyber Safety Review Board (CSRB) that I helped bring to light throughout 2024; and
2. Microsoft’s own admission — spelled out in detailed posts from CEO Satya Nadella and from security business EVP Charlie Bell — that the company’s security products, approaches, investment priorities, and corporate culture were all so deeply flawed and ineffective that Nadella and Bell had no alternative other than rebuilding Microsoft’s entire approach to cybersecurity from top to bottom.

On April 8, 2024, I posted an analysis headlined “Microsoft Cybersecurity Disaster Triggers Customer Doubt, Competitor Opportunity” and containing this excerpt:

While the entire report from the CSRB serves as a devastating critique of Microsoft’s cybersecurity capabilities, mindset, technologies, and approaches, the following excerpt clearly illuminates the challenges Microsoft faces in regaining the trust of business leaders evaluating if they still can and should trust the safety of their business to the Microsoft Cloud:

“Throughout this review, the Board identified a series of Microsoft operational and strategic decisions that collectively point to a corporate culture that deprioritized both enterprise security investments and rigorous risk management.”

Look once more at that part about “a corporate culture that deprioritized … enterprise security investments,” and bear in mind that for its most recently reported quarter, Microsoft generated $62 billion in total revenue and net income of $21.9 billion, with Microsoft Cloud contributing more than half — $33.7 billion — of that revenue. Despite those extraordinary financial resources at Microsoft’s disposal, the federal watchdog group said, the company’s “corporate culture … deprioritized both enterprise security investments and rigorous risk management.”

Unfortunately, the CSRB report is no longer available because a year ago the Trump administration shut down the agency. But before that shutdown, Microsoft CEO Nadella himself referenced the report in his internal memo cited above, and here are a few excerpts from the Nadella memo included in my analysis dated May 9, 2024, and headlined “Can Satya Nadella Fix Microsoft’s Badly Broken Security Culture?.” In each bullet point, Nadella’s comments (in quotation marks) are followed by comments from me in italics:

• ‘Underscores our responsibility’: “The recent findings by the Department of Homeland Security’s Cyber Safety Review Board (CSRB) regarding the Storm-0558 cyberattack, from summer 2023, underscore the severity of the threats facing our company and our customers, as well as our responsibility to defend against these increasingly sophisticated threat actors.” All of that is unequivocally true — but I believe Nadella should have focused on not only “the severity of the threats facing our company” but also the Microsoft technological and cultural shortcomings and deficiencies that the CSRB report laid out in extreme detail. To see some of the most-striking examples of those findings, check out my April 8 analysis.
• Companywide commitment: “Going forward, we will commit the entirety of our organization to SFI (Secure Future Initiative), as we double down on this initiative with an approach grounded in three core principles: Secure by Design: Security comes first when designing any product or service; Secure by Default: Security protections are enabled and enforced by default, require no extra effort, and are not optional; Secure Operations: Security controls and monitoring will continuously be improved to meet current and future threats.” Implicit in Nadella’s words is the acknowledgment that security was certainly not a companywide commitment, and that Microsoft — for all of its good intentions — is playing catch-up.
• #1 investment priority: “If you’re faced with the tradeoff between security and another priority, your answer is clear: Do security. In some cases, this will mean prioritizing security above other things we do, such as releasing new features or providing ongoing support for legacy systems.” Again, that’s a good remediation step — but it also underscores that Microsoft has not been doing this in the past, and has instead just chosen to speak loftily about its huge commitments to security.

At the bottom of this article, I’ve inserted an extensive list of my analyses of these cybersecurity challenges raised by the CSRB, which include my bewilderment at Microsoft’s unwillingness —particularly from Nadella — to address the issue more transparently in hopes of reassuring customers. Those analyses go into great detail about Microsoft’s shortcomings, the scale of those shortcomings, and the enormous challenge it continues to face in an area where anything less than world-class is simply not good enough.

AI Agent & Copilot Summit is an AI-first event to define opportunities, impact, and outcomes with Microsoft Copilot and agents. Building on its 2025 success, the 2026 event takes place March 17-19 in San Diego. Get more details.

How Can a Company with Massive Security Problems Be #1?

That’s been the question I’ve asked myself over and over for the past 18 months as I tried to find the right balance between two wildly divergent realities:

• Microsoft’s ongoing success in the commercial marketplace, which I have noted on many, many occasions, including this one from August 4, 2025: Microsoft’s Stunning Q4 Results Are Best in History of Business; and
• the company’s unwillingness — or its inability — to address the glaring cybersecurity weaknesses and flaws and shortcomings that finally — finally! — led Nadella and Bell to disclose their plans to drastically overhaul every facet of Microsoft’s security business, outlook, and culture.

How extreme was that makeover? Here’s Nadella from his memo to the company referencing the CSRB findings:

We’ve shared specific, company-wide actions each of these pillars will entail – including those recommended in the CSRB’s report which you can learn about here. Across Microsoft, we will mobilize to implement and operationalize these standards, guidelines, and requirements and this will be an added dimension of our hiring and rewards decisions. In addition, we will instill accountability by basing part of the compensation of the senior leadership team on our progress towards meeting our security plans and milestones.

Too Little, Too Late: Why Did Nadella Let Cybersecurity Become an Afterthought?

The latest update I was able to find from Microsoft is a November 10, 2025 blog post from Bell reiterating various things he’s said over the past 15-18 months.

I see that as a nice bit of patchwork. However, the larger issue is how Microsoft allowed the security of its customers to become such a low priority that the company, in order to fix it, had to change everything from product development to investment priorities to compensation and bonuses and hiring.

And, I must underscore that Microsoft and Nadella did not just wake up one day and realize they needed to make drastic changes — instead, their ongoing bumbling would have continued indefinitely had the CSRB report not come to light. It was only after that very public humiliation that Microsoft decided to act.

So, in spite of all the company’s commercial prowess and achievements, there is just no way that a company that for so long placed such little value on the cybersecurity of its customers deserved to be regarded as the world’s leading cloud and AI provider.

And so, I moved Microsoft down to #3, elevated Google Cloud to #1, and boosted Oracle to #2. Because unlike Microsoft, both Google Cloud and Oracle have long made cybersecurity an absolute top priority.

In fact, shortly after I posted my first analysis of the Microsoft security failings exposed in the CSRB report, Google Cloud released a scathing report citing Microsoft’s security flaws and contrasting those with the very different and long-term approach to security taken by Google Cloud: Microsoft Security Takes Another Beating as Google Cloud Showcases Microsoft’s Vulnerabilities.

Final Thoughts

The old Latin phrase sic transit gloria mundi — “thus passes the glory of the world” — is a reminder to us all that earthly fame and glory and success and adulation can be fleeting — what only recently seemed invincible and unalterable is often revealed to be highly vulnerable and transitory.

And so, with the ousting of Microsoft after a four-year run at the top of the Cloud Wars Top 10 — a run that began with me taking a great deal of criticism for being so foolish as to believe that anybody but AWS could be king of the cloud — Google Cloud has richly earned the top spot. You can see some of my thinking about that ascent in these analyses:

And finally, as promised above, here’s a list of some of my 2024 coverage of the gaping flaws in Microsoft’s cybersecurity products, priorities, and culture.

Ask Cloud Wars AI Agent about this analysis