Tradeoff between security and another priority? Nadella answers, charts new road for Microsoft

Microsoft security overhaul: Microsoft is overhauling its security processes after a series of high-profile attacks in recent years. Security is now Microsoft’s “top priority,” the company outlined recently in response to ongoing questions about its security practices and the US Cyber Safety Review Board’s labeling of Microsoft’s security culture as “inadequate.”

Microsoft CEO Satya Nadella is now making it clear to every employee that security should be prioritised above all else. According to a report by The Verge, in a memo from Nadella to Microsoft’s more than 200,000 employees, he discusses the new security overhaul and how the company is learning from attackers to improve its security processes. Nadella also makes it explicitly clear that employees should not make security tradeoffs:

Nadella: If you’re faced with the tradeoff between security and another priority, your answer is clear: Do security. In some cases, this will mean prioritising security above other things we do, such as releasing new features or providing ongoing support for legacy systems. This is key to advancing both our platform quality and capability such that we can protect the digital estates of our customers and build a safer world for all.

Nadella wants Microsoft employees to approach the challenge of overhauling security “with both technical and operational rigor,” even looking at every line of code as an opportunity to improve Microsoft’s security. “It’s everyone’s top priority and our customers’ greatest need,” says Nadella.

Interestingly, Nadella also mentions prioritising security over supporting legacy systems. Microsoft has a long history of supporting its software products for many years past the norm, sometimes even extending this to decades of support or compatibility. Nadella drops a small hint here that the company may need to alter this approach for a secure future.

Microsoft has faced a series of security issues in recent years. Chinese government hackers targeted Microsoft Exchange servers with zero-day exploits in early 2021, enabling them to access email accounts and install malware on servers hosted by businesses. Last year, Chinese hackers breached US government emails thanks to a Microsoft Cloud exploit. Recently, the same Russian state-sponsored hackers that were behind the SolarWinds incident, known as Nobelium or Midnight Blizzard, were able to spy on the email accounts of some members of Microsoft’s senior leadership team last year and even steal source code earlier this year.