Microsoft in Cybersecurity Leadership Crisis

Matthew.Rosenquist
3 min readJul 9, 2024

--

Open Letter to the CEO

There is no indication that the root of Microsoft’s cybersecurity issues is being addressed. In fact, all indications are that the executive team is somewhat worried and bewildered at the diverse and numerous issues arising. After many embarrassing incidents, which recently culminated in the President of Microsoft being called to answer questions before Congress, the Board and senior executive team once again instituted security measures to resolve the problems. Confidence among the cybersecurity community was not high, as this was not the first time such promises were made. Shortly thereafter, more security failures occurred.

Microsoft has announced additional measures as part of their Secure Future Initiative, which was actually created in November last year to solve the previous embarrassing problems that plagued them in 2021–2023, in another attempt to stem the cybersecurity failures. Based upon events that happened in July 2023, the U.S. Cyber Safety Review Board criticized the company’s leadership and culture which led to a “cascade of Microsoft’s avoidable errors”. Since then, two more major breaches have occurred and a myriad of other unsettling security issues.

Highlights of their best hacks and missteps 2021–2024

· Jan 2021: Microsoft Exchange Server Vulnerability Leads to 60,000+ Hacks

· April 2021: 500 Million LinkedIn Users’ Data Scraped and Sold

· Aug 2021: Thousands of Microsoft Azure Customer Accounts and Databases Exposed

· Aug 2021: 38 Million Records Exposed Due to Microsoft Power Apps Misconfiguration

· Mar 2022: Lapsus$ Group Breaches Microsoft

· Oct 2022: 548,000+ Users Exposed in BlueBleed Data Leak

· July 2023: Chinese Hackers Breach U.S. Agencies Via Microsoft Cloud

· Sept 2023: 60k State Department Emails Stolen in Microsoft Breach

· Jan 2024: Microsoft Azure Breached by Russian Intelligence Group, Source Code Stolen

· May 2024: Microsoft Announces Recall Feature, a Privacy and Security Nightmare

· June 2024: Microsoft Fails to Renew Their Security Certificates for Office*

*Unexpected expiration of Microsoft security certificates has happened numerous times, causing disruption (including to Teams in Feb 2024 and 2020, and to Azure in 2023 and 2013).

Failures Ahead

Sadly, it is clear they are attempting to leverage the same flawed framework, that created the systemic issues, to somehow solve the problem. Well, the problem is leadership which does not see the broader security issues, so having the same leaders guiding the way, will not get them out of this predicament.

I have been discussing, talking, and analyzing the many recent cybersecurity issues with colleagues, and in one of my most recent posts, I asked if anyone was willing to reach out to Satya, perhaps the most powerful person in the world of digital technology. No takers.

So, I put pen to e-paper and have published an open letter to him to paint the picture on the problems and offer recommendations on how Microsoft can evolve to be a much better steward of trust for its products and as a foundation for our global electronic ecosystem.

For context, I have seen nearly identical issues in other large organizations and have written many articles on the failures of cybersecurity leadership. In fact, I have identified and wrestled an identical issue in one of the biggest tech firms in the US. It is addressable.

Let’s Raise Expectations!

But I believe it will take Satya Nadella to be aware and engaged.

It is time we raise our collective voices to the top. To the CEO himself, Satya Nadella, who at the end of the day is ultimately responsible. I think at this point it will take his direct intervention.

If you have a chance, take a read of the full letter to Mr. Nadella. If you like it, upvote, share, and comment. If you don’t feel free to add your thoughts on how Microsoft should tackle this persistent problem. Let’s get this in front of the CEO of Microsoft, so we all can be safer in our computing and have a trustworthy foundation for digital innovation, productivity, and success.

Read the Open Letter to Satya Nadella, to address Cybersecurity Leadership Issues - Posted to Help Net Security: https://www.helpnetsecurity.com/2024/07/09/microsoft-cybersecurity-dilemma/

--

--

Matthew.Rosenquist

CISO and cybersecurity Strategist specializing in the evolution of threats, opportunities, and risks in pursuit of optimal security