Analyst: Krista Case
Publication Date: September 30, 2024
Document #: MCNKC202409
In November 2023, Microsoft launched the Secure Future Initiative (SFI) with a mission to transform cybersecurity for the company, its customers, and the broader tech industry. This ambitious undertaking has committed the equivalent of 34,000 full-time engineers. As we move toward the close of 2024, this article provides a progress report on the initiative’s key achievements, focusing on updates and milestones across its six security pillars.
What is Covered in this Article:
- Overview of Microsoft’s SFI – A detailed look at the cybersecurity initiative launched by Microsoft in November 2023, including its goals and the resources committed to it.
- An exploration of the significant achievements across six key cybersecurity pillars, from identity protection to threat monitoring.
- Insights into how Microsoft fosters a security-first culture, including employee accountability, creating a Cybersecurity Governance Council, and executive-level involvement in security performance.
- A deeper analysis of Microsoft’s position within the cybersecurity market and the effectiveness of its strategies compared to industry competitors.
- Examining potential challenges and developments in the cybersecurity landscape, including emerging technologies, competitor moves, and market trends that could influence Microsoft’s trajectory.
The News: In November 2023, Microsoft launched the Secure Future Initiative (SFI), committing 34,000 engineers to tackle global cybersecurity challenges. As of September 2024, the company has made substantial progress in six key areas: protecting identities, securing networks, monitoring threats, and accelerating response times to vulnerabilities.
The initiative emphasizes transparency, with weekly executive reviews and employee performance-linked accountability. Significant milestones include eliminating 730,000 unused apps, enhanced security in Microsoft’s engineering pipelines, and stronger identity protection systems.
Microsoft’s Secure Future Initiative Marks Major Progress in Cybersecurity
Analyst Take: Microsoft’s progress with the Secure Future Initiative (SFI) highlights its commitment to cybersecurity. Microsoft is setting benchmarks by integrating security into every layer of its operations and products, particularly in identity protection and network security. Its focus on collaboration with regulatory bodies such as CISA and the Cyber Safety Review Board further positions it as a proactive leader in mitigating cyber threats.
The strategic move to link security performance with executive compensation is an intelligent step toward fostering a security-first culture. Furthermore, the continuous reduction of attack surfaces through lifecycle management and isolation of production systems demonstrates a long-term commitment to security, not just reactive measures.
Prioritizing Security at Microsoft
At the heart of SFI is a clear organizational commitment: “security above all else.” This principle permeates every aspect of Microsoft’s operations, with leadership and employees accountable for safeguarding the company’s infrastructure and user data. Several vital updates highlight Microsoft’s strides toward embedding security into its culture and governance.
- Cybersecurity Governance Council: Microsoft has launched a new Cybersecurity Governance Council, led by its Chief Information Security Officer (CISO), Igor Tsyganskiy. This council, supported by newly appointed Deputy CISOs, manages overall cyber risk, defense, and compliance across all engineering divisions.
- Employee Accountability: Security has been made a core part of all employee performance reviews. This is designed to ensure that every individual at Microsoft is empowered and accountable for their role in securing the company’s operations.
- Security Skilling Academy: To support employees in prioritizing security, Microsoft has introduced the Security Skilling Academy, a personalized learning experience that provides curated security training tailored to employee-specific roles.
- Leadership Accountability: Senior leadership’s involvement is also crucial, with Microsoft’s executive team reviewing SFI’s progress weekly and the Board of Directors receiving quarterly updates. Furthermore, security performance is directly linked to executive compensation, reinforcing accountability.
Through these governance and culture initiatives, Microsoft is building a security-first culture that holds every employee and executive responsible for cybersecurity outcomes.
Pillar Highlights: A Comprehensive Cybersecurity Strategy
The SFI is built around six critical security pillars, each representing a focal area for enhancing cybersecurity across Microsoft. Below is a summary of the most recent updates in these pillars.
- Protect Identities and Secrets
- Microsoft has completed updates to Microsoft Entra ID and the Microsoft Account (MSA) for public and U.S. government clouds. This involved using the Azure Managed Hardware Security Module (HSM) service to automate the rotation of access token signing keys.
- A broad adoption of Microsoft’s standard identity SDKs now covers over 73% of tokens issued by Microsoft Entra ID. These updates have enhanced the consistency of security token validation across crucial services.
- Security measures such as phishing-resistant credentials have been enforced for internal Microsoft users, helping to eliminate password-sharing risks.
- Protect Tenants and Isolate Production Systems
- Microsoft has eliminated 730,000 unused apps and 5.75 million inactive tenants across its environments, drastically reducing the potential attack surface.
- Over 15,000 production-ready locked-down devices have been deployed in the past three months to strengthen security across production systems further.
- Protect Networks
- Microsoft’s network protection efforts include recording over 99% of physical assets on its production network in a central inventory system, complete with ownership and firmware compliance tracking.
- Virtual networks with backend connectivity are now isolated from the corporate network, reducing lateral movement opportunities for potential attackers.
- Protect Engineering Systems
- Engineering systems have seen increased standardization, with 85% of production build pipelines for the commercial cloud now using centrally governed templates. This makes deployments more secure and consistent.
- Security measures have been implemented to mitigate risks, such as reducing the lifespan of Personal Access Tokens (PATs) to seven days and disabling SSH access for internal engineering repositories.
- Monitor and Detect Threats
- Microsoft is standardizing security audit logs across its infrastructure, with relevant telemetry and audit events retained for at least two years.
- Over 99% of network devices are enabled with centralized security log collection, ensuring robust monitoring and detection capabilities across the organization.
- Accelerate Response and Remediation
- Microsoft has enhanced its Time to Mitigate (TTM) processes, enabling faster responses to critical cloud vulnerabilities.
- The company has also increased transparency by publishing Common Vulnerabilities and Exposures (CVEs) even when no customer action is required, reinforcing its commitment to openness.
Microsoft’s Commitment to Security
Microsoft’s SFI represents a significant engineering challenge and a sustained commitment to evolving its security practices in line with the ever-changing threat landscape. As Charlie Bell, Microsoft’s Executive VP of Security, points out, consistent progress—rather than perfection—remains the key to achieving the initiative’s ambitious goals.
Microsoft demonstrates this commitment through its support of industry-wide efforts, such as the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Secure by Design pledge. By embedding security at the foundation of all its products and services, Microsoft aims to set new standards for the entire tech industry.
Integrating recommendations from the Cyber Safety Review Board (CSRB) further strengthens Microsoft’s cybersecurity approach. These industry collaborations improve resilience and provide invaluable feedback that helps Microsoft stay ahead of emerging threats.
Building a Future-Ready Security Framework
The September 2024 progress report reveals that Microsoft has made significant strides toward securing its systems, products, and customers from cyber threats. With over 34,000 engineers dedicated to the initiative, the SFI represents an unparalleled investment in cybersecurity.
The progress across its six pillars demonstrates that Microsoft is adapting to today’s security demands and building a flexible and forward-looking security framework that can evolve alongside emerging threats.
As we look ahead, the work completed so far is just the beginning. Microsoft remains committed to transparency, accountability, and industry collaboration as it refines and expands the SFI. This initiative is more than an engineering challenge; it reflects Microsoft’s mission to build a safer, more secure digital world.
In a world where cyber threats continue to grow more sophisticated, Microsoft’s SFI offers a beacon of hope—a promise that security will remain at the core of every innovation, product, and decision.
What to Watch:
- Establishing Greater Trust with Customers: Microsoft’s SFI will help it to establish greater trust with customers by demonstrating a strong commitment to cybersecurity and data privacy, and messaging how it is baking security capabilities into its products and services.
- AI in Cybersecurity: AI-driven systems are becoming essential for identifying and mitigating sophisticated cyber threats such as polymorphic malware. Microsoft is enhancing its AI capabilities, but competitors such as AWS and Google are also making strides.
- Zero-Trust Implementation: Adopting zero-trust architectures, which require strict verification at every network access point, reshapes cybersecurity strategies. Microsoft and others such as AWS are leading in this field, competing to offer the most effective solutions.
- Tighter Cybersecurity Regulations: Stricter global cybersecurity regulations, such as the NIS2 Directive, force companies such as Microsoft to adapt their security frameworks. This regulatory pressure reshapes cybersecurity as companies strive to comply while innovating.
Read more about Microsoft’s SFI on the Microsoft website.
Disclosure: The Futurum Group is a research and advisory firm that engages or has engaged in research, analysis, and advisory services with many technology companies, including those mentioned in this article. The author does not hold any equity positions with any company mentioned in this article.
Analysis and opinions expressed herein are specific to the analyst individually and data and other information that might have been provided for validation, not those of The Futurum Group as a whole.
Other insights from The Futurum Group:
Rubrik’s Q2 FY2025 Shows Impressive ARR Growth
Veeam Acquires Alcion, Appoints Niraj Tolia as CTO
CrowdStrike Q2 FY2025 Financial Results: Sustained Growth Amid Cybersecurity Complexity
Author Information
With a focus on data security, protection, and management, Krista has a particular focus on how these strategies play out in multi-cloud environments. She brings approximately 15 years of experience providing research and advisory services and creating thought leadership content. Her vantage point spans technology and vendor portfolio developments; customer buying behavior trends; and vendor ecosystems, go-to-market positioning, and business models. Her work has appeared in major publications including eWeek, TechTarget and The Register.
Prior to joining The Futurum Group, Krista led the data protection practice for Evaluator Group and the data center practice of analyst firm Technology Business Research. She also created articles, product analyses, and blogs on all things storage and data protection and management for analyst firm Storage Switzerland and led market intelligence initiatives for media company TechTarget.