Microsoft continues to add, shuffle security execs in the wake of security incidents

Microsoft has added new chief information security officers (CISOs) to product teams and appointed a new deputy CISO to liaise with customers. The moves are part of an ongoing attempt to revamp the company’s approach to security in the wake of a high-profile attack that breached company emails and a sharp rebuke from the federal government on the company’s security practices.

The new product-focused security chiefs will report to Igor Tsyganskiy, Microsoft’s global CISO who has only been in his post for about six months, according to a published report by Bloomberg. Meanwhile, longtime security executive Ann Johnson is now deputy CISO for customer outreach and regulated industries and also will report to Tsyganskiy.

Johnson’s role will focus on “customer engagement and communication about Microsoft’s own security,” Microsoft said in an email, according to the report. A Microsoft spokesperson said Friday in an email to CSO that the company has nothing to share at the moment about the reported executive changes.

Bolstering security strategy

The executive moves appear to be an extension of the Secure Future Initiative (SFI) that the company unveiled in November to improve the built-in security of its products and platforms to better protect customers against escalating cybersecurity threats.

The new initiative is geared at bringing together “every part of Microsoft” to advance cybersecurity protection incorporating three pillars focused on AI-based cyber defenses, advances in fundamental software engineering, and advocacy for stronger application of international norms, Brad Smith, vice chair and president of Microsoft, said at the time.

Indeed, Microsoft products have historically and notoriously been the target of hackers, who long have exploited flaws in them to conduct malicious activities that have affected numerous organizations and caused widespread damage across myriad geographies and industries.

In December on the heels of its SFI announcement, Microsoft appointed Tsyganskiy, a relative newcomer to the company, to replace former and longtime CISO Bret Arsenault, who transitioned to an adviser position.

Ongoing security struggles

Around the same time — but unbeknownst to Microsoft until January — a Russia-based threat group Midnight Blizzard, also known as Nobelium, was hacking the emails of Microsoft employees, including senior staff. The attack was the second known attack on Microsoft by the group; last year Microsoft had accused it of using social engineering to carry out a cyberattack on Microsoft Teams.

The US Cybersecurity and Infrastructure Security Agency (CISA) later warned in mid-April that Midnight Blizzard exploited the compromise to steal the emails of government agencies, advising agencies to urgently check their email systems for signs of compromise.

If these weren’t troublesome enough for the company, Microsoft also had faced a scathing assessment by a federal review board earlier in April for another state-sponsored cyber-attack that affected the federal government. This one occurred in July 2023 when Chinese threat actors breached Microsoft 365 accounts to target key US government officials.

The report released on April 2 by the independent Department of Homeland Security (DHS) Cyber Safety Review Board offered an incendiary review of Microsoft’s security culture and blamed the company for the attack by the group Storm-0558 that the board said easily could have been avoided.

On the right course

Microsoft’s revamped security strategy shows the company incorporating feedback and taking corrective steps forward to improve the overall security posture of the company and its products, particularly as external pressure mounts.

“Microsoft is doing the right thing to increase focus on security with new senior appointments,” noted Pareekh Jain, CEO of EIIRTrend & Pareekh Consulting, in an email to CSO. “Now not only do individuals or groups of hackers attack, but state-sponsored cybersecurity incidents also happen. Product companies like Microsoft, which have a large consumer, enterprise, and government footprint, need to be a few steps ahead.”

Microsoft also will be viewed as an example to other product-focused companies on how to respond to security challenges, so the moves it makes now are crucial for the overall industry security roadmap ahead, he noted.

“In a product business, the key metric is time-to-market for new features; [however,] it’s time that focus also shifts to time-to-security,” Jain observed. “The industry will be watching Microsoft moves, and in the future, more product companies will focus on time-to-security and bringing senior security talent in their product groups.”