2 min

Microsoft is adding the role of Deputy CISO. With this, the company wants to improve its communications with customers about its security efforts. Other officials have also been appointed, although Microsoft is not revealing details on those.

The brand new Deputy CISO is Ann Johnson, who has already been working for Microsoft’s security arm for more than eight years. She is set to focus on customer contact and regulated industries. Her superior, Microsoft CISO Igor Tsyganskiy, has held his role since December 2023. The other unnamed security execs will also report to him, Bloomberg reports.

Infiltrated twice

Microsoft, the world’s largest security vendor, suffered two major hacks over the past year. Attackers with state support from both China and Russia managed to enter sensitive Microsoft systems one after another and in different ways. The Chinese group Storm-0558 infiltrated Microsoft via an old key that should have long since ceased to be valid. According to the U.S. Cyber Safety Review Board (CSRB), this was one of a “cascade of errors” that had made the hack possible.

The Russian Midnight Blizzard group even stole e-mail messages between Microsoft and the U.S. government. On several occasions, Microsoft’s top executive layer appeared was shown to not adhere to well-known security best practices. A painful conclusion, since the company itself, like other security venders, continually insists on things like MFA and zero-trust.

In both cases, communication with the outside world proved problematic. The CSRB strongly criticized the series of blog posts Microsoft devoted to the Chinese hack. Although the company tried to promote transparency with said blogs, the information in them was repeatedly inaccurate. Corrections to the published work online also came far too late and only at the urging of the CSRB. It will be up to the revamped C-suite to show significant improvement on that front.

Major changes

A culture shift appears to be in order. The CSRB rounded out its report by concluding that Microsoft has long neglected security. The researchers pointed to a 2002 statement by founder and then-CEO Bill Gates: “When we face a choice between adding features and resolving security issues, we need to choose security.”

The new executives will do well to take this old advice to heart. Accordingly, Bloomberg reports that the changes are indeed intended to put the focus back on security in every product group from now on. CEO Satya Nadella also told investors last week that Microsoft is now prioritizing security above everything else.

Also read: Vulnerability in Windows Defender leads to data loss