Microsoft gave new details about its security initiatives on Monday morning, less than five months after CEO Satya Nadella and security leader Charlie Bell outlined a series of reforms to address cybersecurity breaches, and said the company would be making security its top priority.
In a 25-page Secure Future Initiative (SFI) progress report, the company explained a series of technical and governance changes, following the framework set out in a critical report by the Cyber Safety Review Board (CSRB) in April 2024 that described Microsoft’s security culture as “inadequate.”
For example, the company said it is protecting identities and secrets by using hardware security modules for token signing keys; eliminating unused apps and tenants; using “Just in Time” and “Just Enough Access” policies for elevated roles; and monitoring and detecting threats by ensuring standardized security logs for all assets.
“In May 2024, we expanded the initiative to focus on six key security pillars, incorporating industry feedback and our own insights. Since the initiative began, we’ve dedicated the equivalent of 34,000 full-time engineers to SFI — making it the largest cybersecurity engineering effort in history,” Bell wrote in a blog post accompanying the report.
Microsoft also named the 13 people who now serve as deputy chief information security officers (CISOs) in its product groups (see below), following up on a part of the plan that was announced in May, as well. The deputy CISOs report directly to Microsoft’s Chief Information Security Office, led by Igor Tsyganskiy as Microsoft’s CISO.
The company’s senior leadership team reviews its security progress weekly, and Microsoft’s board gets updates quarterly, explained Bell, the Microsoft Security executive vice president.
Microsoft revealed in January of this year that a Russian state-sponsored actor known as Nobelium or Midnight Blizzard accessed its internal systems and executive email accounts. More recently, the company said the same attackers were able to access some of its source code repositories and internal systems.
In another high-profile incident, in May and June 2023, the Chinese hacking group known as Storm-0558 is believed to have compromised the Microsoft Exchange Online mailboxes of more than 500 people and 22 organizations worldwide, including senior U.S. government officials.
Here is the list of deputy CISOs, with bios provided by the company:
Damon Becknel, Vice President and Deputy CISO, Regulated Industries
Damon Becknel provides security oversight and governance for Microsoft’s solutions for regulated industries, including healthcare and financial services and our legal department, CELA. Prior to Microsoft, Damon served in a number of technology and security roles in the US Army before serving in CISO roles at ID.me and Horizon Blue Cross Blue Shield of New Jersey.
Geoff Belknap, Corporate Vice President and Deputy CISO, Core and Mergers & Acquisitions
Geoff Belknap has responsibility for Microsoft’s core infrastructure and network, corporate applications, and future and existing acquisitions, in addition to his duties in digital security and resilience. Prior to this role, Geoff was CISO at LinkedIn and Slack, and CSO at Palantir.
Shawn Bowen, Vice President and Deputy CISO, Gaming
Shawn Bowen is Deputy CISO for Microsoft’s Gaming offerings. Prior to joining Microsoft, Shawn spent more than 27 years in a variety of engineering and security roles, including CISO at World Kinect and United States Marine Corps Intelligence. He also retired as a senior leader for Air Force Cyber.
Terrell Cox, Vice President and Deputy CISO, Microsoft Security Products Division
In addition to her responsibilities as Deputy CISO for Microsoft Security Products, Terrell serves as the Vice President of Privacy Engineering in Microsoft Security, overseeing cybersecurity and privacy compliance, Microsoft’s privacy infrastructure, and expanding Microsoft’s engineering hubs in US East and Gulf Coast locations. Over the past 26 years at Microsoft, Terrell served in numerous engineering leadership roles across the company.
Vanessa Feliberti Bautista, Corporate Vice President and Deputy CISO, Microsoft 365
Vanessa Feliberti Bautista is Deputy CISO for Microsoft 365, in addition to her role as CVP for M365 Services Platform Engineering leading the development, operation, and innovation of the infrastructure that powers Microsoft 365’s customer experiences. Her tenure at Microsoft spans three decades and includes spearheading initiatives that move Microsoft services forward together in upleveling resiliency and accelerating the delivery of personalized AI experiences.
Ann Johnson, Corporate Vice President and Deputy CISO, Customer Security Management Office
In addition to her Deputy CISO responsibilities for the Customer Security Management Office (CSMO), Ann Johnson is responsible for all external engagement and communications for the Office of the CISO. Her technology career has spanned more than three decades, including 24 years in cybersecurity leadership roles at RSA Security, Qualys, and Microsoft.
Naresh Kannan, Technical Fellow and Deputy CISO, Experiences and Devices
Naresh Kannan is Deputy CISO for Microsoft’s Experiences and Devices organization with responsibility for security in products including SharePoint, Office, Windows, OneDrive, and Viva, in addition to his responsibilities leading OneDrive and SharePoint core engineering and product management. Naresh has been at Microsoft for more than 25 years in a variety of engineering leadership roles.
John Lambert, Deputy CISO, Threat Landscape
In addition to his Deputy CISO responsibilities for the threat landscape we face across the company and beyond, John Lambert founded and leads Microsoft’s Threat Intelligence function and has served in other senior leadership roles in the company since he joined 24 years ago. John is a Security Fellow and recognized thought leader in threat hunting, research, and tracking nation-state actors.
Timothy Langan, Corporate Vice President and Deputy CISO, Government
In addition to Tim’s responsibilities as a Deputy CISO for global government, he also has responsibilities for insider threats and operational resiliency. Prior to Microsoft, Tim served in government positions ranging from the US Marine Corps to more than 26 years at the FBI, culminating in his role as Executive Assistant Director of the largest branch of the FBI, covering cyber, criminal investigative, and other operations.
Mark Russinovich, Technical Fellow, Azure CTO & Deputy CISO for Azure
In addition to his responsibilities as Deputy CISO for Azure and operating systems, Mark Russinovich is Microsoft Azure CTO and Technical Fellow, where he shapes the strategic and technical direction of the platform and ensures that Azure includes the strongest security and privacy technology. Mark joined Microsoft in 2006, after Microsoft acquired Winternals Software, a company Mark co-founded.
Igor Sakhnov, Corporate Vice President and Deputy CISO, Identity
In addition to his Deputy CISO responsibilities for Identity, Igor Sakhnov leads the engineering teams focused on several components of Microsoft Entra, and has been in a number of senior engineering roles at Microsoft for over sixteen years. Prior to his 16 years at Microsoft, Igor had a number of engineering roles including in B2B and healthcare software.
Kumar Srinivasamurthy, GM of WebXT Fundamentals and Deputy CISO, Consumer
Kumar Srinivasamurthy is the Deputy CISO for Microsoft’s Consumer offerings, working on areas including Bing, Copilot, Ads, and Maps. His responsibilities include privacy, telemetry, end-to-end performance, and fraud detection for Microsoft’s AI services. Kumar has worked at Microsoft for nearly 25 years in a variety of engineering roles on products ranging from Office and Windows to Bing and Copilot.
Yonatan Zunger, Corporate Vice President and Deputy CISO, Artificial Intelligence
In addition to his Deputy CISO responsibilities, Yonatan Zunger is a CVP at Microsoft with responsibility for ensuring Microsoft’s AI products are safe and secure. Prior to this role, Yonatan had leading engineering roles at Twitter and Google, with a focus on high-capacity search and storage, social, and security and safety.