Feature
At the beginning of April, the U.S. Cyber Safety Review Board (CSRB) revealed that a breach of US government emails by Chinese hackers last year could have been averted if Microsoft had taken preventive measures with its Microsoft Exchange Online software.
Storm-0558 Hack
The CSRB's report concluded that the intrusion by Storm-0558 — a hacking group linked to the People’s Republic of China — in the summer of 2023 could have been prevented.
The review highlighted a series of operational and strategic choices made by Microsoft that reflected a corporate culture where enterprise security investments and thorough risk management were deprioritized.
It characterized the incident as a "cascade of security failures" on Microsoft's part, which enabled state-sponsored hackers from China to infiltrate the email accounts of 22 organizations. The breach impacted over 500 individuals, including U.S. government employees involved in national security.
Microsoft's Response
The response from Microsoft was predictable. It launched a number of new security initiatives, including a new security governance framework spearheaded by the Chief Information Security Officer (CISO).
Charlie Bell, EVP of Microsoft Security outlined the initiatives in a blog post. They include a range of technical and management initiatives designed to shore up confidence in the company.
A memo from Microsoft CEO Satya Nadella in which he placed responsibility for security on Microsoft employees accompanied the announcements.
The memo, as reported by The Verge, explained his thinking on security moving forward. It reads:
“If you’re faced with the trade-off between security and another priority, your answer is clear: Do security. In some cases, this will mean prioritizing security above other things we do, such as releasing new features or providing ongoing support for legacy systems.
“This is key to advancing both our platform quality and capability such that we can protect the digital estates of our customers and build a safer world for all.”
It could be argued that security in this case at least is and should be company strategy. With Microsoft, this strategy is contained in the SFI (Secure Future Initiative) launched last November. However, Nadella has pushed this further in a move that could create problems for the company's 200,000 employees.
Related Article: How Microsoft 365 Affects Workplace Security
Are You Incentivizing Security?
Everyone involved in a business should be concerned with security, and that includes individual workers, ForgeSecurity's Andrew Lugsden told Reworked. However, individuals aren't solely responsible for all security considerations.
A business should provide suitable guidance, training and documentation for all security concerns, and provide clear instructions for all their employees for carrying out their day-to-day tasks. Management and reporting structures should also be in place to answer questions or raise security concerns.
“A common issue with security is that it is often bypassed in favor of speed and productivity, with many incentive structures rewarding this,” he said. "Management can also apply pressure on employees to work quickly and produce results which also creates incentives to ignore security, cut corners and just get the job done."
All levels of management must agree that security is more important than speed, and there can't be any fear of repercussions when such a policy is introduced if a business wants to promote security as a core principle, Lugsden added.
Digital Security Is a Shared Responsibility
In Microsoft's case, given the onslaught of security breaches over the past few years, every option needs to be on the table in order to function as an organization, said Will LaSala, field CTO at OneSpan.
“It’s becoming abundantly clear that organizations across all industries are struggling to stay ahead of the new era of cybersecurity threats. In Microsoft’s case, they have experienced a continuous onslaught of security breaches — from hackers spying on employee emails to stealing source code,” he said.
The current threat environment makes it an organization’s responsibility to implement strong security measures, he added, such as continuous authentication and identity verification capabilities, to combat these growing threats.
Security should be directly integrated within workflows to secure digital experiences, guaranteeing the integrity of people, data, transactions and documentation. Cybersecurity must begin from the top down.
However, no matter how sophisticated an organization’s technology becomes, there is still room for human error — 95% of breaches result from human error, according to IBM's Cyber Security Intelligence report.
"While organizations have a responsibility to provide comprehensive education to all personnel, employees must prioritize the provided cyber trainings with due diligence and understand their role in protecting the broader organization. The responsibility for digital security must be shared between organizations and employees to create a resilient defense against cyber threats," LaSala said.
Conference
Oct
20
Gartner IT Symposium/Xpo Orlando 2025
Register
Conference
Oct
27
Gartner HR Symposium/Xpo Orlando 2025
Register
Its a sentiment FusionAuth CEO Brian Pontarelli agrees with. Security is a shared responsibility across the organization and not something that should fall solely on any one employee or team, he argues. While individual employees must follow security best practices, the overall strategy and policies come from leadership.
If you hold employees accountable without support and resources, it crushes morale and trust, he said. The key is striking a balance of responsibility and empowerment, implemented mandatory security training, two-factor authentication and regular internal phishing simulations.
When done right, security becomes a shared cultural value, with leadership driving real change through policy, controls and resources, Pontarelli concluded. An empowered, equipped workforce is the only way to build a truly secure company today.
Related Article: What the SolarWinds Hack Tells Us About the State of Cybersecurity
The Upsides and the Downsides of a Security-First Mindset
Making security a priority will increase awareness and accountability across a company. This can result in a more proactive culture whereby staff members are continuously considering security consequences in their job, therefore lowering vulnerabilities and promoting a more safe product environment, WinSavvy founder Adhip Ray said.
The potential drawback of Microsoft's new approach is it runs the danger of encouraging a culture of fear instead of innovation by tying security to performance appraisals, he continued. Staff members may prioritize security at the price of creativity, thereby stifling innovation or creating a risk-averse workplace which is more concerned about avoiding mistakes than in seeking audacious, creative ideas.
“Here, a mixed strategy would be vital,” he said. “Microsoft should make sure that, even if security is underlined, other important facets of employee performance including innovation, teamwork and customer focus are not subordinated. Not a barrier, security should be considered as an enabler of invention.”
All that said, judging Microsoft employees on their security work is a wise move, especially given that as technology evolves, so do threats, said WebsitePolicies CEO Vlad Khorkhorov.
“Making security part of everyone's performance review acknowledges this reality. It's no longer enough to have a fortress around your data; you need a vigilant army within,” he said. "Microsoft fosters a culture where security is everyone's responsibility by holding employees accountable. It's like those old fire drills we used to have — they might have seemed tedious, but they ingrained in us the importance of preparedness."
Khorkhorov also acknowledges Microsoft's role in making the initiative work, namely providing employees with the right training, resources and support. “It's about fostering a mindset where security isn't an afterthought but a core part of every decision. If done right, this approach could transform Microsoft into a security powerhouse, setting an example for others,” he said.