How Microsoft is Securing the Future of Innovation

Microsoft’s Secure Future Initiative (SFI), launched in late 2023, is widely regarded as the largest cybersecurity engineering project in history.

Since its inception, the company has invested the equivalent of 34,000 engineers working full time over 11 months to reduce risk and strengthen security and resilience across its digital ecosystem. 

The SFI was rolled out to deliver on Microsoft’s ambition to safeguard the future for its customers and community, underpinned by the company’s mission to “prioritise security above all else”. 

Based on several key overarching cybersecurity goals and objectives, the initiative has already delivered marked results across Microsoft. 

This includes the development of a security-first culture, new holistic governance structures to address cyber risk and compliance enterprise-wide and enhanced innovation and design. 

To set out delivery against the original objectives and multi-year journey of the SFI, Microsoft has released its SFI Progress Report – the second report on the initiative that details progress made since May 2024.

Initiative-wide cybersecurity progress 

The SFI builds on three core principles designed to help ensure Microsoft’s products are secure from inception, through deployment and use. These are defined as Secure by Design, Secure by Default and Secure Operations.

Six key engineering pillars, each representing a critical area of cybersecurity focus, guide the company’s efforts to deliver against these principles. These pillars are:

• Protect identities and secrets
• Protect tenants and isolation production systems
• Protect networks
• Protect engineering systems
• Monitor and detect threats
• Accelerate response and remediation

Each of these engineering pillars includes several objectives (28 in total), as well as detailed customer guidance around themes, including reducing risk related to credentials, improving productivity and production devices security, adhering to security baselines and Zero Trust implementation. 

Writing in a Microsoft blog about the latest progress report, Charlie Bell, Executive Vice President of Microsoft Security, says the company has driven measurable results across all six pillars. 

“We continue to make progress in every pillar and objective,” he notes. “Out of 28 objectives, five are nearing completion, 11 have made significant progress and we continue to make progress against the rest.

“As a result of SFI, our platforms and services are more secure and we have improved our ability to detect and respond to cyberthreats.”

Progress in culture, governance and security

The report highlights several core areas of progress across the business, particularly around culture and governance. 

For example, as of the end of 2024, every employee was given security core priorities and the opportunity to discuss security impact with managers. 

In addition, 50,000 employees took part in the Microsoft Security Academy training and more than 99% completed security-specific courses to increase cybersecurity awareness.

Microsoft also plans to introduce a Global Cybersecurity Ambassador Program. This will provide business functions across the company with better cybersecurity awareness and allow them to share best practices and actions with customers and partners. 

The progress report also highlights improvements to Microsoft’s overall cybersecurity risk and compliance based on a new governance structure introduced in 2024. 

“We’ve appointed a Deputy Chief Information Security Officer for Business applications, and consolidated responsibility for Microsoft 365 and Experiences and Devices,” writes Charlie. “All 14 Deputy CISOs across Microsoft have completed a risk inventory prioritisation, creating a shared view of enterprise-wide security risk.

“This kind of structure is critical for scale, ensuring security isn’t just centralised, but embedded throughout the organisation.”

Delivering innovation and security principles

Regarding innovation and engineering, Microsoft’s SFI work has yielded progress in several areas, including hardening identity security, reducing the risk of lateral movements across networks and tenants and improved detection and response capabilities.

For example, Microsoft’s teams have added more than 200 additional detections against top tactics, techniques and procedures, all of which will be integrated into its Defender.

The company has also sought out key partnerships within the security research community, resulting in the discovery of 18 vulnerabilities in high-impact areas like cloud and AI and the launch of new sign-in protection for key products. 

“To better protect our customers, engineering teams across the company are delivering innovation aligned with our security principles, such as the new Secure by Design UX Toolkit, which we tested with 20 product teams, rolled out to 22,000 employees and shared publicly,” Charlie writes.  

“This toolkit embeds security best practices into product development and is already delivering results. It includes best practices, conversation cards and workshop tools to help teams build security capability, pinpoint vulnerabilities in products and prioritise where to focus.”

Against the challenge of a rapidly evolving threat landscape, Microsoft’s progress report signals its intention to deliver more secure platforms for customers and its ecosystem. 

Charlie concludes: “SFI is how we’re rising to that challenge. We are applying Zero Trust principles, driving security from the engineering core and sharing what we learn. There is more work ahead and we are committed to the journey.”

Explore the latest edition of Cyber Magazine and be part of the conversation at our global conference series, Tech & AI LIVE and Cyber LIVE.

Discover all our upcoming events and secure your tickets today.

Cyber Magazine is a BizClik brand