Advancing cybersecurity
strategy at Microsoft
IT Showcase Article
Looking ahead
Microsoft Information Security and Risk
Management will invest to ensure that the
cybersecurity program at Microsoft
evolves to create a pervasive security
culture and anticipates emerging threats.
Knowing that security intrusions have
become a situation of “when, not if,” the
group pursues a goal of ensuring that
Microsoft is structured to identify and
mitigate threats as quickly as possible.
December 2015
The rise in sophisticated cyberattacks and
corresponding impacts drives the need for advanced
solutions to help companies discover, respond to, and
recover from attacks. More than ever, rigorous
execution of vulnerability remediation, configuration,
and change management is the most effective
preventative measure for an organization. As the
technology industry continues to embrace a mobilefirst, cloud-first era, Microsoft must continue to advance
risk management and security controls, and balance
unparalleled security threats with business
requirements.
Cybersecurity trends in the industry
Businesses and consumers are under cyberattack at an unprecedented
scale. Attacker sophistication is increasing, and underground markets
selling exploits and “hacking as a service,” have virtually eliminated the
barrier-of-entry for malicious actors. Despite improvements in defensive
capabilities, prevailing research still shows that, on average, it takes
organizations more than 200 days to detect a significant breach.
Destructive cyberattacks, insider threats, and third-party dependencies
have become a real threat to critical infrastructure, supply chains, and
potentially to life safety. Cyberattacks are also receiving extraordinary
public attention, driving greater interest and more regulation of
cybersecurity activities.
Yet, while the complexity of cyberattacks has grown, many publicly
acknowledged breaches have been caused by internal missteps that
could have been prevented or minimized with effective employee
education and security hygiene throughout corporate and third-party
provider IT services. Cybersecurity threats are placing ever more weight
Page 2
|
Advancing cybersecurity strategy at Microsoft
on disciplined execution of the key IT security and operational controls that underpin effective cyber
defense. It has been proved repeatedly that the impact of a successful intrusion is more effectively
minimized with a mature detect–and-respond approach to cyber threats.
Our commitment to advance security
Microsoft is committed to building and implementing best-in-class security programs and
processes, and is constantly working to reduce exposure to cybersecurity risks. Our customers
expect that Microsoft will provide services with best-in-class security, in a more cost-effective way,
and with greater reliability than they can themselves. The Core Protection Principles at Microsoft
are:

Protect customer data

Ensure device integrity

Safeguard the supply chain

Protect our intellectual property
Microsoft Information Security and Risk Management (ISRM) supports the company’s overall
security mission by providing key security services that help to protect corporate systems, services,
data, and users. The service lines though which we deliver these services include: risk management,
threat and vulnerability management, identity and access management, security and incident
management, and security monitoring.
Deliver on the promise of security
In order to deliver on our security commitment to Microsoft, our partners, and our customers, ISRM
leverages five core strategies. These strategies define how we help to execute on the company’s
core protection principles and provide the foundation for the services we provide. The strategies
are designed to align information security practices with business objectives, and to ensure that
ISRM is structured to provide maximum business value to Microsoft and its customers. ISRM
strategies include:
1.
Business enablement
2.
Risk management
3.
Technical controls and services
4.
Execution excellence
5.
Talent management
Business enablement
The pace of change in business continues to accelerate as the industry uses cloud computing and
increases adoption of personal and mobile devices in the workplace. Microsoft is meeting this
challenge through a broader and a more rigorous adoption of agile development practices and
quicker release cycles. The faster rate of change requires a security organization that works more
closely and effectively with stakeholders across IT and product groups, to meet the company’s
business demands while delivering the best and most advanced security solutions available.
As part of enabling the business, ISRM provides a framework and services that include:

Policies, standards and requirements, risk indicators, and a common framework for
engagement and support.

Adaptive platforms, assessments, automation, and interfaces that support the business to run
consistently and with enhanced security.
IT Showcase Article
Page 3

|
Advancing cybersecurity strategy at Microsoft
Intelligence and analytics that help ISRM identify and respond to attacks, while enabling
businesses to make informed risk decisions.
Risk management
In alignment with the Microsoft Enterprise Risk Management Framework, ISRM uses a
comprehensive controls framework to identify and manage operational risk and support adherence
to regulatory requirements. As part of the risk management strategy, ISRM informs and advises
business leaders to aid them in making sound decisions—weighing information security risk factors
against business objectives, customer needs, and other requirements. ISRM supports Microsoft
across the range of modern business scenarios that regularly cross infrastructure, application,
supplier, and company security boundaries.
ISRM is driving the evolution of a “risk aware” culture and increased accountability throughout
Microsoft, by embedding risk management practices in stakeholder organizations across the
company.
As part of cross-company risk management, ISRM leads:

The Information Risk Management Council, which is the governing body for information
security at Microsoft.

An Enterprise Business Continuity Management program for the company that provides
resiliency and recoverability guidance and best practices that stakeholders can employ to
better protect our people, processes and assets, in the event of a disaster or prolonged outage.

A streamlined risk and compliance framework that helps Microsoft ensure it has policies in
place to support compliance with industry standards and government regulations.

Employee education and awareness through broad campaigns and targeted education.

Work that influences behavior changes in our employee population by proactively addressing
key security issues, threats, and risks, which stem from individuals engaging in activities that
may adversely affect the company.
Technical controls and services
The rapid pace of change in information technology requires continued investment in cybersecurity
technology in order to protect our computing resources from the evolving threat landscape. We
accomplish this by evaluating and prioritizing acquisitions, purchases, and emerging capabilities to
implement. ISRM uses technical and procedural controls, combined with best practices, to deliver
security services for the company.
In order to achieve greater efficiency, we must design and implement security controls and services
earlier in the product development lifecycle. The technical controls and services include:

Research and evaluation of emerging technologies and threats.

Systematic methods for prioritizing security investments.

Alignment and integration of new capabilities with minimal redundancy.

Operations of tools and/or controls in first and third-party services.

Tools and guidance for our business stakeholders to ensure that the company’s business
applications meet or exceed security requirements without the need for ad hoc security
controls development.
IT Showcase Article
Page 4 |
Advancing cybersecurity strategy at Microsoft
Execution excellence
Because of the large and growing number of critical services we provide to support the day-to-day
activities of the business, operation and execution excellence are mission-critical.
In order to be both relevant and drive continued use of the security services that we provide for the
company, ISRM provides:

Guidelines that communicate when stakeholders and partners contact us for assistance to meet
security requirements.

Effective and efficient processes for governance, review, triage, and communicating ISRM’s
position, at a speed commensurate with the degree of risk.

Data-driven guidance for our customers and stakeholders that provide freedom to maneuver
while discouraging them from embarking on high-risk courses of action.
Talent management
ISRM recognizes that people are the organization’s most important asset as we work to reduce
security threats and advance security across our organization with its highly diverse goals. The
organization strategically leverages a mix of full-time employees, vendors, and managed services
that are available around the world to accomplish our goals and objectives, drive innovation, and
maximize cost efficiencies. ISRM uses a targeted, multi-channel approach to identify and attract top
information security/risk management talent for Microsoft from colleges and industry. This
approach includes:

A commitment to retaining talent using a mix of on-the-job-training, strategic job rotation,
technical training, and leadership training.

Every employee in ISRM creates and maintains a professional development program focused
on their specific development needs.

The organization hosts a number of security competitions to increase awareness about security
careers at Microsoft.

ISRM funds a number of senior-level employees to participate in graduate and executive-level
information security programs.
Where we invest
As we look ahead, ISRM will invest to ensure that the cybersecurity program at Microsoft evolves to
create a pervasive security culture and anticipates emerging threats. Primary investment areas for
the team anticipate cybersecurity trends and business needs, while creating an informed workforce
through ongoing education and training. We will prioritize ongoing sustainability and maturation of
our security foundation, while also investing heavily to build our detection and response
capabilities. Knowing that security intrusions have become a situation of “when, not if,” ISRM
pursues a goal of ensuring that Microsoft is structured to identify and mitigate threats as quickly as
possible.
As we monitor the cyber threat environment and adapt to changing business dynamics, ISRM will
work to advance security for Microsoft products and services and strive to achieve the right
measure of security to help achieve the company’s future success.
IT Showcase Article
Page 5
|
Advancing cybersecurity strategy at Microsoft
For more information
For more information about Microsoft products or services in the United States, call the Microsoft
Sales Information Center at (800) 426-9400. In Canada, call the Microsoft Canada Order Centre at
(800) 933-4750. Outside the 50 United States and Canada, please contact your local Microsoft
subsidiary. To access information via the web, go to:
http://www.microsoft.com
Microsoft IT
http://www.microsoft.com/ITShowcase
© 2015 Microsoft Corporation. All rights reserved. Microsoft and Windows are either registered trademarks or
trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies
and products mentioned herein may be the trademarks of their respective owners. This document is for
informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.
IT Showcase Article