In a 25-page Secure Future Initiative (SFI) progress report, the company explained a series of technical and governance changes, following the framework set out in a critical report by the Cyber Safety Review Board (CSRB) in April 2024 that described Microsoft’s security culture as “inadequate.”

Vole said it would protect identities and secrets by using hardware security modules for token signing keys, eliminating unused apps and tenants, using “Just in Time” and “Just Enough Access” policies for elevated roles, and monitoring and detecting threats by ensuring standardised security logs for all assets.

“In May 2024, we expanded the initiative to focus on six key security pillars, incorporating industry feedback and our insights. Since the initiative began, we’ve dedicated the equivalent of 34,000 full-time engineers to SFI — making it the largest cybersecurity engineering effort in history,” Bell wrote in a blog post accompanying the report.

Microsoft also named the 13 people who now serve as deputy chief information security officers (CISOs) in its product groups, following up on a part of the plan announced in May. The deputy CISOs report directly to Microsoft’s Chief Information Security Office, led by Igor Tsyganskiy as Microsoft’s CISO.

Bell, the Microsoft Security executive vice president, explained that the company’s senior leadership team reviews its security progress weekly, and Microsoft’s board gets updates quarterly.

Microsoft revealed in January that a Russian state-sponsored actor known as Nobelium or Midnight Blizzard accessed its internal systems and executive email accounts. The company recently said the same attackers could access some of its source code repositories and internal systems.

In another high-profile incident, in May and June, Chinese hackers compromised the Microsoft Exchange Online mailboxes of more than 500 people and 22 organisations worldwide, including senior US government officials.