I know for a fact that Microsoft really does take security seriously, and most of the company is moving in the right direction. That said, the security problems revealed in the CSRB report are shocking and completely unacceptable for a technology company with the size, control, and power of Microsoft.

Remember, too, that after intense criticism from the cybersecurity community since the 1990s, Microsoft revved up its marketing machine several times, trumpeting security initiatives like Trustworthy Computing in 2002 (based on a publicly disclosed memo from Bill Gates himself), and the 2023 Secure Future Initiative, with the distinct purpose of bolstering Microsoft cloud security.

What’s next for Microsoft in the wake of the report?

Okay, so what happens next for Microsoft, its customers, and the security industry? Here are a few of my suggestions:

1. Microsoft should abandon its marketing hype around security. Along those lines, it should tear up its planned presentations for the RSA Conference next month and take the opportunity to communicate clearly and simply what happened, what it intends to do, and when it will do it.
2. Microsoft should routinely update the security community on its progress and metrics. In short, Microsoft should operate in a continuous state of damage control as it may take a generation before cybersecurity professionals really trust the company.
3. CISOs should write their own summary reports in language that non-technical executives will quickly understand. This is what they call a ‘teachable moment’ for the C-Suite and board.
4. Every cybersecurity professional should read the report from cover to cover. It’s educational and will help them understand what a mature security posture should look like.

Despite its significant cybersecurity contributions over the past few years in areas like threat intelligence, takedowns, and technology innovation — heck, even its security products have become competitive with market leaders in many categories — Microsoft shouldn’t get a pass on the CSRB report. The company has a long journey and a lot of work ahead of it. I hope it does the right thing with humility, transparency, and candor.