{“lastseen”:”2025-10-13T17:52:16″,”description”:”At Microsoft, building a lasting security culture is more than a strategic priority\u2014it is a call to action. Security begins and ends with people, which is why every employee plays a critical role in protecting both Microsoft and our customers. When secure practices are woven into how we think, work, and collaborate, individual actions come together to form a unified, proactive, and resilient defense.\\n\\nOver the past year, we\u2019ve made significant strides through the Secure Future Initiative (SFI), embedding security into every layer of our engineering practices. But just as critical has been our transformation in how we educate and engage our employees. We revamped our employee security training program to tackle advanced cyberthreats like AI-enabled attacks and deepfakes. We launched the Microsoft Security Academy to empower our employees with personalized learning paths that create a relevant experience. We\u2019ve made security culture a company-wide imperative, reinforcing vigilance, embedding secure habits into everyday work, and achieving what technology alone cannot. It is more than a mindset shift; it\u2019s a company-wide movement, led from the top and setting a new standard for the industry.\\n\\nDiscover more about the Microsoft Secure Future Initiative\\n\\nTo help other organizations take similar steps, we are introducing two new guides\u2014focused on identity protection and defending against AI-enabled attacks\u2014that offer actionable insights and practical tools. These resources are designed to help organizations rethink their approach in order to move beyond 101-level content and build a culture of security that is resilient, adaptive, and people-powered. Because in cybersecurity, culture is more than a defense\u2014it is the difference between reacting to cyberthreats and staying ahead of them.\\n\\n## Training for proactive security: Empowering employees in a new era of advanced threats\\n\\nSecurity is the responsibility of every Microsoft employee, and we\u2019ve taken deliberate steps to make that responsibility tangible and actionable. Over the past year, we\u2019ve worked hard to reinforce a security-first mindset throughout every part of the company\u2014from engineering and operations to customer support\u2014ensuring that security is a shared responsibility at every level. Through redesigned training, personalized guidance, regular feedback loops, and role-specific expectations, we are fostering a culture where security awareness is both instinctive and mandatory.\\n\\nAs cyberattackers become increasingly sophisticated, using AI, deepfakes, and social engineering, so must the way we educate and empower employees. The security training team at Microsoft has overhauled its annual learning program to reflect this urgency. Our training is thoughtfully designed to be even more accessible and inclusive, built from empathy for all job roles and the work they do. This helps ensure that all employees, regardless of background or technical expertise, can fully engage with the content and apply it in meaningful ways. The result is a lasting security culture that employees not only embrace in their work but also carry into their personal lives.\\n\\nTo ensure our lasting security culture is rooted in real-world cyberthreats and tactics, we\u2019ve continued to push our Security Foundations series to feature dynamic, threat-informed content and real-world scenarios. We\u2019ve also updated training content in traditional topics like phishing, identity spoofing, and AI-enabled cyberattacks like deepfakes. All full-time employees and interns are required to complete three sessions annually (90 minutes total), with newly created content every year.\\n\\nSecurity training must resonate both in the workplace and at home to create a lasting impact. That is why we equip employees with a self-assessment tool that delivers personalized, risk-based feedback on identity protection, along with tailored guidance to help safeguard their identities\u2014both on the job and in their personal lives.\\n\\n## The ingredients for successful security training\\n\\nAt Microsoft, the success of our security training programs hinges on several crucial ingredients: fresh, risk-based content; collaboration with internal experts; and a relentless focus on relevance and employee satisfaction. Rather than recycling old material, we rebuild our training from the ground up each year, driven by the changing cyberthreat landscape\u2014not just compliance requirements. Each annual program begins with a risk-based approach informed by an extensive listening network that includes internal experts in threat intelligence, incident response, enterprise risk, security risk, and more. Together, we identify the top cyberthreats where employee judgment and decision-making are essential to keeping Microsoft secure\u2014and how those cyberthreats are evolving.\\n\\nTake social engineering, for instance. This topic is a consistent inclusion in our training because around 80% of security incidents start with a phishing incident or identity compromise. But we are not teaching phishing 101, as we expect our employees already have foundational awareness of this cyberthreat. Instead, we dive into emerging identity threats, real-world cyberattack scenarios, and examples of how cyberattackers are becoming more sophisticated and scaling faster than ever.\\n\\nThe impact we are making on the security culture at Microsoft is not by chance, nor is it anecdotal. The Education and Awareness team within the Office of the Chief Information Security Office (OCISO) applies behavioral science, adult learning theory, and human-centered design to the development of every Security Foundations course. This ensures that training resonates, sticks, and empowers behavioral change. We also continually measure learner satisfaction and content relevancy, both of which have climbed significantly in recent years. We attribute this positive change to the continual innovation and evolution of our content and the increased attention we pay to the learning and cultural needs of our employees.\\n\\nFor example, the Security Foundations training series is consistently one of the highest-rated required employee training courses at Microsoft. Our post-training surveys tell a clear story: employees see themselves as active participants in keeping Microsoft secure. They feel confident identifying threats, know how to escalate issues, and consistently reinforce that security is a top priority across roles, regions, and teams.\\n\\n\\u003e _This was one of the best Security Foundations that I ‘ve taken, well done! The emphasis on deepfake possible attacks was enlightening and surprising, I thought it was a great choice to actually deepfake [our actor] to show how real it sounds and show in real time what is possible to get that emphasis. The self-assessment was also great in terms of showing the areas that I need to work on and use more caution._\\n\\u003e \\n\\u003e _\u2014Microsoft employee_\\n\\nToday, engagement with the Security Foundations training is strong, with 99% of employees completing each course. Learner satisfaction continues to climb, with the net satisfaction score rising from 144 in fiscal year (FY) 2023 to 170 today. Relevancy scores have followed a similar trend, increasing from 144 in FY 2023 to 169 today.1 These scores reflect that our employees view the security training content as timely, applicable, and actionable.\\n\\n## Microsoft leadership sets the tone\\n\\nOur security culture change started at the top, with Chief Executive Officer (CEO) Satya Nadella mandating that security be the company\u2019s top priority. His directive to employees is clear: when security and other priorities conflict, security must always take precedence. Chief People Officer (CPO) Kathleen Hogan reinforced this commitment in a company-wide memo, stating, \u201cEveryone at Microsoft will have security as a Core Priority. When faced with a tradeoff, the answer is clear and simple: security above all else.\u201d\\n\\nThe Security Core Priority continues to enhance employee training around security at Microsoft. As of December 2024, every employee had a defined Security Core Priority and discussed their individual impact during performance check-ins with their manager. Hogan explains that this isn\u2019t a one-time pledge, but a non-negotiable, ongoing responsibility shared by every employee. \u201cThe Security Core Priority is not a check-the-box compliance exercise; it is a way for every employee and manager to commit to\u2014and be accountable for\u2014prioritizing security, and a way for us to codify your contributions and to recognize you for your impact,\u201d she said. \u201cWe all must act with a security-first mindset, speak up, and proactively look for opportunities to ensure security in everything we do.\u201d\\n\\nThis commitment is embedded in how Microsoft governs and operates at the highest levels. Over the past year, the senior leadership team at Microsoft has focused on evaluating the state of our security culture and identifying ways to strengthen it. Security performance is reviewed at weekly executive meetings with deep dives into each of the six pillars of our Secure Future Initiative. The Board of Directors receives regular updates, reinforcing the message that security is a board-level concern. We\u2019ve also reinforced our commitment to security by directly linking leadership compensation to security outcomes\u2014elevating security to the same level of importance as growth, innovation, and financial performance. By using executive compensation as an accountability mechanism tied to specific security performance metrics, we\u2019ve driven measurable improvements, especially in areas like secret hygiene across our code repositories.\\n\\n## Reinforcing security culture through engagement and hiring\\n\\nSecurity culture is not built in a single training session; it is sustained through continuous engagement and visible reinforcement. To keep security top-of-mind, Microsoft runs regular awareness campaigns that revisit core training concepts and share timely updates across the company. These campaigns span internal platforms like Microsoft SharePoint, Teams, Viva Engage, and global digital signage in offices. This creates a consistent drumbeat that embeds security into daily workflows through reminders that reinforce key behaviors.\\n\\nLaunching fall 2025, the global security ambassador program will activate a grassroots network of trusted advocates within teams and departments across organizations and geographies. With a goal of reaching at least 5% employee participation, these ambassadors will serve as local champions, helping amplify initiatives, offering peer-to-peer guidance, and offering valuable feedback from the front lines. This approach not only sustains engagement but ensures Microsoft’s security strategy is informed by real-world insights from across the organization. As cyberattackers continue to grow more advanced, our employees must constantly learn and adapt. For this reason, security is a continuous journey that requires a culture of continuous improvement, where lessons from incidents are used to update policies and standards, and where employee feedback helps shape future training and engagement strategies.\\n\\nSecurity culture is only as strong as the people who live it. That is why Microsoft is investing heavily in talent to scale its defenses through upskilling and hiring. Through the resulting increase in security engineers, we are making sure that every team, product, and customer benefits from the latest in security thinking and expertise.\\n\\n## Embedding security into engineering\\n\\nThe company leadership sets the vision, but real transformation happens when security is woven into our engineering. We are moving beyond simply applying security frameworks\u2014reengineering how we design, test, and operate technology at scale. To drive this shift, we\u2019ve aligned our engineering practices with the Protect Engineering Systems pillar of SFI, embedding security into every layer of development, from identity protection to threat detection. Our Microsoft Security Development Lifecycle (SDL), once published as a standalone methodology, is now deeply integrated into the Secure by Design pillar of SFI, ensuring security is part of the process, from the first line of code to final deployment.\\n\\n\\n\\n## What is DEVSECOPS? \\n\\nLearn more \u2197\\n\\nWe\u2019ve embedded DevSecOps and shift-left strategies throughout our development lifecycle, backed by new governance models and accountability structures. Every engineering division now has a Deputy Chief Information Security Officers (CISO) responsible for embedding security into their workflows. These practices reduce costs, minimize disruption, and ultimately lead to more resilient products.\\n\\nUnder SFI, security is treated as a core attribute of product innovation, quality, innovation, and trust. And as Microsoft redefines how security is built into engineering, we are also transforming how it is lived. This means providing every employee with the awareness and agility needed to counter the most advanced cyberthreats.\\n\\n## Security culture as a matter of business trust\\n\\nFor Microsoft, a strong security culture helps us protect internal systems and uphold customer and partner trust. With a global presence, broad product footprint, and a customer base that spans nearly all industries, even a single lapse can have impact at a scale where even a single security lapse can have wide-reaching implications. Embedding security into every layer of the company is both complex and essential\u2014and involves more than just cutting-edge tools or isolated policies. Our security-first employee mindset views security not as a discrete function, but as something that informs every role, decision, and workflow. And while tools are indispensable in addressing technical cyberthreats, it is culture that ensures those tools are consistently applied, refined, and scaled across the organization.\\n\\n## Paving the road ahead for lasting security culture\\n\\nThe famous quote attributed to renowned management consultant Peter Drucker that \u201cculture eats strategy for breakfast\u201d holds especially true in cybersecurity. No matter how well-designed a security strategy may be, it can\u2019t succeed without a culture that supports and sustains it. Ultimately, the formula for proactive security at Microsoft is built on three connected elements: people, process, and culture. And although we\u2019ve made meaningful progress on all three fronts, the work is never finished. The cybersecurity landscape is constantly shifting, and with each new challenge comes an opportunity to adapt, improve, and lead.\\n\\nThe decision by Microsoft to treat security not as an isolated discipline, but as a foundational value\u2014something that informs how products are built, how leaders are evaluated, and how employees across the company show up every day\u2014is a core aspect of SFI. This initiative has already led to measurable improvements, including the appointment of Deputy CISOs across engineering divisions, the redesign of employee training to reflect AI-enabled threats, and the coming launch of grassroots programs like the global Security Ambassador program.\\n\\nThe Microsoft Secure Future Initiative is our commitment to building a lasting culture that embeds security into every decision, every product, and every employee mindset. We invite others to join us and transform how security is lived. Because in the current threat landscape, culture is not just a defense\u2014it makes the difference.\\n\\nSecurity above all else with the Secure Future Initiative\\n\\n## Culture in practices: Tools to build a security-first mindset\\n\\nTo reinforce a security-first mindset across work and home, we\u2019ve developed the following resources for our internal employees. We are also making them available for you to help drive the same commitment in your organization.\\n\\n * **Identity Protection Guide**\u2014Critical identity protection practices for reduce your risk of cyberattacks\u201d of a cyberattack, at work and at home.\\n * **Security Foundations: Guarding Against AI-Powered Attacks** \u2014A reference guide to spotting and protecting yourself against AI-powered cyberattacks.\\n\\n\\n\\n##### Microsoft Deputy CISOs\\n\\nTo hear more from Microsoft Deputy CISOs, check out the OCISO blog series. \\n\\nTo stay on top of important security industry updates, explore resources specifically designed for CISOs, and learn best practices for improving your organization\u2019s security posture, join the Microsoft CISO Digest distribution list.\\n\\n\\n\\nTo learn more about Microsoft Security solutions, go to our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.\\n\\n* * *\\n\\n_1 Microsoft internal data_\\n\\nThe post Building a lasting security culture at Microsoft appeared first on Microsoft Security Blog.”,”published”:”2025-10-13T16:00:00″,”modified”:”2025-10-13T16:00:00″,”type”:”mssecure”,”title”:”Building a lasting security culture at Microsoft”,”source”:””,”references”:””,”id”:”MSSECURE:99D4775C61D70B29DEBB50E8E9E3895E”,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/10\/13\/building-a-lasting-security-culture-at-microsoft\/”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:”AI processing failed – returned non-JSON response”,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-10-13T17:52:16″,”description”:”At Microsoft, building a lasting security culture is more than a strategic priority\u2014it is a call to action. Security begins and ends with people, which…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,110,13,33,7,11,5],"class_list":["post-21310","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-mssecure","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n