Microsoft’s cybersecurity dilemma: An open letter to Satya Nadella
Matthew Rosenquist
CISO at Mercury Risk. - Formerly Intel Corp, Cybersecurity Strategist, Board Advisor, Keynote Speaker, 190k followers
There is no indication that the root of Microsoft’s cybersecurity issues is being addressed.? In fact, all indications are that the executive team is somewhat worried and bewildered at the diverse and numerous issues arising.? After many embarrassing incidents, which recently culminated in the President of Microsoft being called to answer questions before Congress, the Board and senior executive team once again instituted security measures to resolve the problems.? Confidence among the cybersecurity community was not high, as this was not the first time such promises were made.? Shortly thereafter, more security failures occurred.
Microsoft has announced additional measures as part of their Secure Future Initiative, which was actually created in November last year to solve the previous embarrassing problems that plagued them in 2021-2023, in another attempt to stem the cybersecurity failures. ?Based upon events that happened in July 2023, the U.S. Cyber Safety Review Board criticized the company’s leadership and culture which led to a “cascade of Microsoft’s avoidable errors”.? Since then, two more major breaches have occurred and a myriad of other unsettling security issues.
Highlights of their best hacks and missteps 2021-2024
*Unexpected expiration of Microsoft security certificates has happened numerous times, causing disruption (including to Teams in Feb 2024 and 2020, and to Azure in 2023 and 2013).
Failures Ahead?
Sadly, it is clear they are attempting to leverage the same flawed framework, that created the systemic issues, to somehow solve the problem.? Well, the problem is leadership which does not see the broader security issues, so having the same leaders guiding the way, will not get them out of this predicament.?
I have been discussing, talking, and analyzing the many recent cybersecurity issues with colleagues, and in one of my most recent posts, I asked if anyone was willing to reach out to Satya, perhaps the most powerful person in the world of digital technology.? No takers.?
领英推荐
So, I put pen to e-paper and have published an open letter to him to paint the picture on the problems and offer recommendations on how Microsoft can evolve to be a much better steward of trust for its products and as a foundation for our global electronic ecosystem.?
For context, I have seen nearly identical issues in other large organizations and have written many articles on the failures of cybersecurity leadership.? In fact, I have identified and wrestled an identical issue in one of the biggest tech firms in the US.? It is addressable.?
Let's Raise Expectations!
But I believe it will take Satya Nadella to be aware and engaged.
It is time we raise our collective voices to the top.? To the CEO himself, Satya Nadella, who at the end of the day is ultimately responsible.? I think at this point it will take his direct intervention.
If you have a chance, take a read of the full letter to Mr. Nadella .? If you like it, upvote, share, and comment.? If you don’t feel free to add your thoughts on how Microsoft should tackle this persistent problem.? Let’s get this in front of the CEO of 微软 , so we all can be safer in our computing and have a trustworthy foundation for digital innovation, productivity, and success.
Open Letter to Satya Nadella, to address Cybersecurity Leadership Issues: Posted to Help Net Security : https://www.helpnetsecurity.com/2024/07/09/microsoft-cybersecurity-dilemma/
30K Followers | Cybersecurity | Certified vCISO | Advisor | Executive Search | Career Coach | Author | Speaker | Podcaster
4 个月Matthew Rosenquist I respectfully disagree that this was a Microsoft problem. It was 100% due to a untested Crowstrike update that was not certified through the Microsoft process. They rushed to get it out and shut down 50% of the Fortune 500 companies. Heads should roll. Companies should drop them like a hot potato since their change management and testing processes are so inadequate.
CISO at Mercury Risk. - Formerly Intel Corp, Cybersecurity Strategist, Board Advisor, Keynote Speaker, 190k followers
4 个月Not that I need to beat a dead horse, but did anyone notice that the CrowdStrike outage today, reportedly only effected Microsoft Windows 10 machines? What decisions were made that left these machines so vulnerable to an update from a 3rd party software company, that it caused widespread Blue Screens of Deaths (BSOD) to appear across the globe? Let's be clear, the cause of the global outages is with CrowdStrike, but Microsoft did have a hand in this game. They have the power to limit the impacts of 3rd party software that is misbehaving. Microsoft is a contributor to risk and I see it has an opportunity to improve its internal decision leadership for better overall security of the global digital ecosystem!
Matthew Rosenquist very well stated and extremely timely . It is time for Microsoft to respond. CISO’s are under the microscope but often have no influence in the enterprise licensing agreements that are signed in their companies. Those who do have to spend months negotiating and reviewing even the most fundamental of security requirements and then told services must be bought for proper implementation and configuration. Security by design needs to start with Microsoft.