What this is about?

Microsoft introduced the Secure Future Initiative (SFI) in November 2023 to advance cybersecurity protection for Microsoft, their customers, and the industry. In May 2024, they expanded the initiative to focus on six key security pillars. This is a reaction post to the Microsoft’s Secure Future Initiative as described in Securing our future: September 2024 progress update on Microsoft’s Secure Future Initiative (SFI) by Charlie Bell, Executive Vice President, Microsoft Security. You can get the PDF of the Secure Future Initiative here.

What do we think?

First and foremost, this is a great step forward for security. It is a culmination of many good practices and lessons learnt from security incidents. The six pillars (protect identity and secrets; protect tenants and isolate production systems; protect networks; protect engineering systems, monitor and detect threats; and accelerate response and remediation) are vital to security. They cover the whole spectrum of security and are reasonable aspects any company should take to protect what they use. Now, the subset of pillars that are most relevant to your company depends on your specific risk profile. Nevertheless, they are all important to your overall cybersecurity.

The best part of the SFI for us is the emphasis on fostering a cybersecurity culture within your organization: everyone is responsible for security. This ensures, even at performance review time, that all employees are thinking about security and learning how to act in the best interest of your organisation’s security. Instead of being confined to annual in one ear, out the other compliance training, security now becomes the number one priority. The emphasis on in-house training is the right way: train your staff to be secure and take that training seriously.

In addition, the continuous improvement loop by design means that one keeps being agile and reactive to both changes in the landscape, dynamic reaction to one’s own risks, and strive to keep secure over blindly checking boxes. As with all frameworks, they need tailoring to your specific needs to get the best value. It is great to see this baked in.

Overall, the SFI should be be lauded and is a good thing™.

MS SFI

However, the SFI comes late in the game. It is better late than never. Most of the security community we talked to were shocked that some of the basic things outlined in the framework were not already implemented. The SFI framework is a simple shift left application of basic security principles. It is a great way to get started. The fact that Microsoft is just implementing some of this framework now, given that they are responsible for the operating systems running 95% of all computers in the world is worrying.

Finally, the SFI does provide a minimum bar for security Are you as secure as Microsoft? Well, are you? This is great news. It offers security professionals a simple and easy to implement framework at any company size level that offers a massive boost to security. And it’s been vetted by Microsoft, which carries a lot of weight especially in those budget negotiations with C-Suite. The six pillars offer a great foundation for OKRs which can be dropped in your next iteration. Of course, ones does not need to weight each pillar equally: within your organisation it will be natural to emphasis some pillars over others because they offer more return based on your own risks.

Take away

The whole SFI is a fantastic way to ensure that your company and your customers are more secure. As we keep saying, security is dye, not paint, and this initiative is a good implementation of this very idea. It is refreshing to know that Microsoft agrees!

More than anything else, the SFI provides guidance and foundations as to how you can implement this in your own organisation. Since it is backed by the biggest software company in the world, selling it to the board and C-suite should be much easier.

If you need guidance in implementing this, or even a more secure framework tailored to your risks, please do get in touch via out contact form.