The new product-focused security chiefs will report to Igor Tsyganskiy, Microsoft’s global CISO, who has just been in the position for around six months.
Microsoft has appointed new chief information security officers (CISOs) to its product teams, as well as a new deputy CISO to handle customer relations. The changes are part of an ongoing effort to improve the firm’s approach to security in the aftermath of a high-profile attack that compromised company emails and a harsh rebuke from the federal government on the company’s security policies.
According to a source, the new product-focused security chiefs will report to Igor Tsyganskiy, Microsoft’s global CISO, who has just been in the position for around six months. Meanwhile, Ann Johnson, a long-time security executive, is now the deputy CISO for customer outreach and regulated industries, reporting to Tsyganskiy.
Johnson’s responsibilities would include “customer engagement and communication about Microsoft’s own security,” Microsoft stated in an email, according to the story. In an email to the CSO on Friday, a Microsoft spokeswoman stated that the business has nothing to discuss at this time regarding the purported senior changes.
The CEO’s appointments appear to be an extension of the company’s Secure Future Initiative (SFI), which was announced in November to improve the built-in security of its products and platforms in order to better protect customers from rising cybersecurity threats.
The new initiative aims to bring together “every part of Microsoft” to advance cybersecurity protection, with three pillars focusing on AI-based cyber defenses, advances in fundamental software engineering, and advocacy for stronger application of international norms, according to Brad Smith, Microsoft’s vice chair and president at the time.
Indeed, the firm’s products have long been the target of hackers, who have exploited faults in them to carry out nefarious operations that have harmed various organizations and caused enormous damage across multiple regions and industries.
In December, following its SFI announcement, Microsoft appointed Tsyganskiy, a relative newcomer to the firm, to replace former and longtime CISO Bret Arsenault, who was promoted to adviser.
Around the same time, but unknown to Microsoft until January, a Russia-based threat group called Midnight Blizzard, also known as Nobelium, was hacking the emails of Microsoft employees, including senior executives. This was the group’s second documented attack on Microsoft; last year, Microsoft accused it of employing social engineering to launch a hack on Microsoft Teams.
The US Cybersecurity and Infrastructure Security Agency (CISA) later reported in mid-April that Midnight Blizzard used the intrusion to steal official emails, recommending agencies immediately review their email systems for evidence of infection.
If these weren’t enough problems for Microsoft, a federal review body slammed the business earlier in April for another state-sponsored cyberattack on the federal government. This one happened in July 2023, when Chinese threat actors accessed Microsoft 365 accounts to target senior US government leaders.
The independent Department of Homeland Security’s (DHS) Cyber Safety Critique Board’s report, released on April 2, provided an explosive critique of Microsoft’s security culture and chastised the firm for the attack by the organization Storm-0558, which the board stated could have been easily avoided.
Microsoft’s revised security plan demonstrates the corporation embracing input and taking corrective measures to strengthen the overall security posture of the company and its products, especially when external pressure grows.
“Microsoft is doing the right thing to increase focus on security with new senior appointments,” said Pareekh Jain, CEO of EIIRTrend & Pareekh Consulting, in an email to CSO. “Now, state-sponsored cybersecurity issues occur in addition to individual or group hacking attacks. Product firms like Microsoft, with a big consumer, enterprise, and government footprint, must be a few steps ahead.”
The firm will also be held up as an example to other product-focused companies on how to respond to security threats, so the decisions it makes now are critical for the wider industry security strategy, he said.
“In a product business, the key metric is time-to-market for new features; however, it’s time that focus also shifts to time-to-security,” Jain said. “The industry will be watching Microsoft moves, and in the future, more product companies will focus on time-to-security and bringing senior security talent into their product groups.”
Do Follow: CIO News LinkedIn Account | CIO News Facebook | CIO News Youtube | CIO News Twitter
About us:
CIO News is the premier platform dedicated to delivering the latest news, updates, and insights from the CIO industry. As a trusted source in the technology and IT sector, we provide a comprehensive resource for executives and professionals seeking to stay informed and ahead of the curve. With a focus on cutting-edge developments and trends, CIO News serves as your go-to destination for staying abreast of the rapidly evolving landscape of technology and IT. Founded in June 2020, CIO News has rapidly evolved with ambitious growth plans to expand globally, targeting markets in the Middle East & Africa, ASEAN, USA, and the UK.
CIO News is a proprietary of Mercadeo Multiventures Pvt Ltd.