Microsoft has faced a series of security setbacks in recent times, prompting company CEO Satya Nadella to acknowledge the need for a cultural shift within the company. The top executive said that an overhaul is needed to prioritise security and address these challenges.
In a recent interview with Wired (via Business Insider), Nadella stressed the importance of changing the company's mindset. “That's what will be culture change,” he stated, emphasising the need to move beyond simply blaming employees and address the root causes of security vulnerabilities.
“This is not about a witch hunt internally at Microsoft,” he said, when asked whether there were any firings at the company.
While acknowledging the "perverse incentives" that often prioritise new product development over securing existing ones, Nadella expressed frustration with the tendency to focus on problems only after they occur.
He criticized those who “chase ambulances,” implying a reactive rather than proactive approach to security, while accepting the criticism directed at Microsoft and emphasised commitment to improving the company's security posture.
What has contributed to need of ‘culture change’ at Microsoft
Over the past year, Microsoft has grappled with several high-profile cybersecurity incidents. For example, in July, a faulty update from cybersecurity firm CrowdStrike triggered a global IT outage impacting countless Microsoft users.
Earlier, in March, a US Department of Homeland Security report criticised Microsoft's security systems as inadequate, highlighting its vulnerability to attacks, particularly from a Chinese hacking group known as Storm-0588.
In 2020 SolarWinds attack, a report claimed that Microsoft knowingly concealed a security flaw in one of its services to avoid jeopardizing potential government investment in its cloud business. This vulnerability was later exploited by Russian hackers.
Microsoft President Brad Smith acknowledge shortcomings
Not only Satya Nadella, Microsoft President has openly acknowledged these shortcomings. Brad Smith, vice chair and president of Microsoft, accepted responsibility for the issues raised in the Department of Homeland Security report.
The company also confirmed that its systems were compromised by the Russian hacking group Midnight Blizzard, resulting in unauthorised access to a small number of corporate email accounts.