Microsoft’s internal security campaign is making strides as it works to dog food its own services into its internal security efforts.Note: “Dog Food” is not intended as a derogatory term in this case. It refers to the process in which a vendor utilizes its own products and processes internally in an effort to prove their effectiveness to customers. The phrase originates from the saying: “we are eating our own dog food.”The Redmond, Washington, software and services giant said that it is making strides in guarding its own systems against external threat actors and, in the process, hardening its own security products and services for customers.Microsoft’s security team acknowledged a number of challenges, but said that it is making strides in initiating security“Our progress will not be linear. The threat landscape will continue to evolve, resulting in new vulnerabilities and security incidents,” Microsoft said in its latest progress report.“Technology will advance, creating new ways to improve security and new issues to address.”Amongst the areas Redmond is looking to improve security are the development and engineering departments. Areas of focus include the application of zero trust architectures, mandating multi-factor authentication, and the use of fine-grained permissions and authentication for data access.As part of the security initiative, Microsoft said that some 50,000 employees completed its required security training courses and, as of December 2024, every employee of the company had been put on a security compliance program.Not every initiative is humming along at ideal speed, however. Microsoft said that of its 28 internal security initiatives, five were between null and 32% progress, three were at less than 65% progress, and four were classified as “no percentage” progress,The report should provide some comfort for security professionals who are struggling to implement their own security training and compliance policies amidst the workforce. If Microsoft can admit it still has work to do with its own security training and policy rollout, its clients can take some solace in knowing they are not alone.Microsoft also said it has stepped up its penetration testing efforts. In such tests, Microsoft brings in a red team (AKA the cool hackers) to test its data and physical network security by attempting to break in and steal key data.“Validating the effectiveness of new controls is critical, which we do in part through Red Team exercises,” Microsoft said.“These exercises simulate sophisticated adversary objectives to rigorously test designs, mitigations, and detection mechanisms.”The result, Microsoft said, will be not only an effective internal security policy, but a model that Redmond can pitch to its customers for overhauling their own security strategy.“We have activated our culture to foster a security first mindset in every employee at every level,” Microsoft said.“We established new holistic governance structures to address cybersecurity risk and compliance enterprise wide.”
