Microsoft Happy-Talk Security Update Triggers 10 Tough Questions

While Microsoft appears to be energetically pumping up its cybersecurity efforts after a series of embarrassing incidents, the company’s list of proof-points meant to underscore that “security is our top priority” raises some very big questions, starting with this one: What was Microsoft’s top priority before it was security?

I’ll get to those other big questions in a moment, but first let me toss out a few guesses as to what the previous “top priority” might have been:

• Revenue?
• OpenAI?
• Closing the Activision deal?
• Margins?
• Figuring out how to massage its plans to become a massive user of nuclear power into its “green” image? (BTW, I’m a huge fan of the Three Mile Island plan!)
• Staying ahead of a revitalized AWS?

I guess the burr under my saddle is that Microsoft appears to want to be applauded, appreciated, and admired for recognizing — here in the year 2024 — that security can’t be a second thought and certainly should never be an after-thought. That’s why I’m puzzled about what Microsoft’s top priority was before CEO Satya Nadella finally got fed up with his company’s multititude of security shortcomings and public embarrassments and decreed that from here on out, security is now The Big Thing.

The bare fact that Microsoft is finally acknowledging the primacy of security in today’s digital world is, I guess, a good thing. But to frame it bluntly, what the hell took them so long to realize this??

Here’s an excerpt from the big security updates Microsoft released this week. I’m not sure what you’ll make of it, but to me it all seems patently obvious — it all looks like the kind of stuff everyone just assumed Microsoft has been doing for the past five years as it became the world’s largest enterprise-cloud provider, with calendar-2024 cloud revenue likely to be approaching $150 billion. The excerpt is from executive vice-president and head of Microsoft’s security business Charlie Bell in a blog post from earlier this week:

“At Microsoft, we recognize our unique responsibility in safeguarding the future for our customers and community. As a result, every individual at Microsoft plays a pivotal role to ‘prioritize security above all else.’ We’ve made significant progress in fostering a security-first culture.”

Okay — sounds nice and warm and all that. But the key point emerges in the third and final sentence when Bell admits quite specifically that Microsoft — again, the world’s largest cloud vendor and one of the world’s leading purveyors of AI technology and of enterprise applications and lots more — does not have a security-first culture, and instead is simply making “progress in fostering a security-first culture.”

Ask Cloud Wars AI Agent about this analysis

To you CEOs and CIOs out there evaluating cloud and AI providers: Does that revelation from security leader Bell give you full confidence about turning over the future of your enterprise — and perhaps of your career as well — to Microsoft?

Well, I see I’m starting to jump ahead into my list of big questions about this whole Microsoft conversion, so let’s get started on those.

1. QUESTION: As noted above, what the hell took Nadella and team so long to recognize that security isn’t an up-sell or an add-on, but must instead be the core of everything Microsoft does?
2. QUESTION: How could Nadella have had such a complete blind-spot regarding security, which has dominated top-level thinking among the Cloud Wars Top 10 companies for the past several years?
3. Peter Drucker famously said that “culture eats strategy for breakfast.” And in a devastating report on Microsoft’s security shortcomings released earlier this year, a team within the U.S. Department of Homeland Security called the Cyber Safety Review Board blasted the Microsoft culture for failing to prioritize security, failing to hold anyone accountable for security problems and disasters, failing to tie executives’ financial incentives to security, and failing to adequately fund security initiatives despite Microsoft being one of the wealthiest companies the world has ever known. (For its fiscal 2024, Microsoft’s net income was $88.1 billion.) QUESTION: Beyond the rather trivial cultural changes cited by Bell in his blog post, how is Microsoft attempting to overhaul its culture to ensure security becomes the top priority in reality as opposed to in messaging?
4. Late last year, Microsoft brought in a new CISO from outside the company — and bravo on that decision! Igor Tsyganskiy comes from one of the world’s largest asset-management companies (Bridgewater Associates) and brings a much-needed customer perspective to this vital position. The previous CISO, Bret Arsenault, was the ultimate corporate lifer and insider: In his 35-year career at Microsoft, he was the CISO for 23 straight years until Nadella realized late last year that a new leader with new vision was needed to drive the necessary changes. QUESTION: How is it possible that Nadella — one of the world’s top CEOs — did not realize much earlier that a new CISO was essential as part of a desperately needed overhaul of security?
5. New CISO Tsyganskiy reports to security leader Bell, who for the past three years has held the title of executive vice president, security, compliance, identity, and management. And Arsenault, who is probably a wonderful person but who nevertheless presided along with Bell over an organization that was so woefully out of step with current realities that Microsoft is overhauling the entire security operation, now serves as corporate vice-president and chief cybersecurity advisor. QUESTIONS: Since joining Microsoft from Amazon in September 2021, has Bell been loudly and relentlessly urging Nadella to overhaul Microsoft’s entire approach to security? If not, why should Nadella and Microsoft’s customers believe he’s the right person to lead the necessary changes? Conversely, if Bell was indeed beating the drum for sweeping changes to security, why did Nadella not listen? Why did Nadella wait two years? What were the conflicting priorities that blinded Nadella and other top-level leaders to regard security as anything other than the top priority?

Final Thoughts

In addition to the blog post from Bell outlining this first rounds of changes, Microsoft also earlier this week published a September 2024 Progress Report on their efforts. Much of that 25-page document is devoted to discussion of the company’s six “engineering pillars” on which its new security development and behavior is based. Take a look at those six pillars:

1. Protect identities and secrets
2. Protect tenants and isolate production systems
3. Protect networks
4. Protect engineering systems
5. Monitor and detect threats
6. Accelerate response and remediation

In Bell’s blog post, he says those “six key pillars” each represent “a critical area of cybersecurity focus. These pillars guide our ongoing work to raise the bar for security across Microsoft and help us meet the evolving demands of the security landscape.”

Do those pillars — whose descriptions take up almost 20 of the progress report’s 25 pages — fill you with optimism about Microsoft’s new security vision, security commitment, and security culture?

Me neither.

AI Copilot Summit NA is an AI-first event to define the opportunities, impact, and outcomes possible with Microsoft Copilot for mid-market & enterprise companies. Register now to attend AI Copilot Summit in San Diego, CA from March 17-19, 2025.