Services for Organizations

Using our research, best practices and expertise, we help you understand how to optimize your business processes using applications, information and technology. We provide advisory, education, and assessment services to rapidly identify and prioritize areas for improvement and perform vendor selection

Consulting & Strategy Sessions

Ventana On Demand

    Services for Investment Firms

    We provide guidance using our market research and expertise to significantly improve your marketing, sales and product efforts. We offer a portfolio of advisory, research, thought leadership and digital education services to help optimize market strategy, planning and execution.

    Consulting & Strategy Sessions

    Ventana On Demand

      Services for Technology Vendors

      We provide guidance using our market research and expertise to significantly improve your marketing, sales and product efforts. We offer a portfolio of advisory, research, thought leadership and digital education services to help optimize market strategy, planning and execution.

      Analyst Relations

      Demand Generation

      Product Marketing

      Market Coverage

      Request a Briefing



        Jeff Orr's Analyst Perspectives

        << Back to Blog Index

        Restructuring Cybersecurity: Lessons from Microsoft's Recent Changes

        The structures that govern enterprise security teams are under scrutiny. A recent report from a government watchdog group has taken issue with Microsoft’s cybersecurity strategies in the wake of its Exchange Server attacks, prompting the enterprise software giant to re-evaluate its reporting structures. The implications of this shift extend beyond Microsoft itself, with cybersecurity becoming a leading challenge for companies from every industry as cyber and ransomware attacks have grown in frequency and sophistication, raising critical questions for enterprise executives: How should organizations structure their cybersecurity efforts to ensure resilience in the face of growing threats?

        The news is significant: Microsoft has appointed Deputy Chief Information Security Officers (CISOs) to various product engineering teams. This move is a direct response to the criticism regarding the company’s cybersecurity practices—a reminder that securing sensitive data isn’t just a technical issue; it’s an enterprise-wide priority.

        Following the report on Microsoft, Amazon shared that its InfoSec organization underwent changes two years prior, with the parent company naming a CISO who received direct reports from the business line CISOs, including AWS, consumer and devices organizations. The Amazon CISO reports directly to the CEO rather than to the CIO, reflecting a growing belief in the industry: cybersecurity is fundamentally a “people problem,” one that spans beyond the traditional IT domain. By elevating security discussions to the executive level, Amazon and Microsoft are leading the charge towards a more integrated approach to cybersecurity.

        In an email to employees, the Microsoft CEO expressed how security is everyone’s top priority, highlighting the launch of Microsoft’s Secure Futures Initiative (SFI). He emphasized that understanding and addressing security needs is critical not just for the company but also for its customers.

        But Microsoft isn’t stopping there. Senior leadership team performance and incentive plans now must include demonstrable progress in cybersecurity milestones and programs. This tangible commitment underscores a crucial point: cybersecurity is no longer the sole responsibility of the IT department—it’s integral to the overall business strategy. The change appears to be more than just words as Microsoft’s CEO requested an incentive pay reduction related to the most recent security incidents.

        Historically, Microsoft has faced scrutiny for shortcomings in cybersecurity, even rebranding itself after a Windows OS debacle as “the security company” without altering customer sentiment. This time, however, the focus on organizational change signals a recognition that to be effective, security must be woven into the fabric of all products, services and departments.

        The question arises: Are other enterprises now reviewing their organizational security structures in light of these developments? The answer is increasingly yes. Many companies are rethinking their cybersecurity strategies,ISG_Research_2024_Assertion_Security_Cyber_InfoSec_Converge_46_S contemplating shifts away from traditional centralized models. ISG Research asserts that through 2026, over two-thirds of enterprises will converge cyber and information security efforts into digital security programs for effective governance and the protection of physical and digital assets. This is a call to action for executives at all levels.

        Does your organization have the right leadership structure to face today’s cybersecurity challenges? Are there misalignments that could leave your enterprise vulnerable? These are tough questions worth exploring.

        In the latest ISG Market Lens Cybersecurity Study, 61% of security decision-makers rely on an internal management approach to cybersecurity investments, while 39% outsource cybersecurity as a managed service approach. As enterprise leaders navigate this complexity, they should consider the following best practices:

        1. Integrate cybersecurity across all functions: All departments must collaborate on cybersecurity initiatives and understand their role in protecting the organization.
        2. Elevate security conversations: Consider reporting structures that keep security discussions within the C-suite, leveraging insights and commitment at the highest levels of the business.
        3. Measure and reward progress: Implement clear performance metrics around cybersecurity and hold executives accountable. When cybersecurity success contributes to organizational goals, it garners the attention it deserves.
        4. Stay agile: The threat landscape is constantly evolving. Organizations must remain flexible and ready to adapt strategies in response to new threats.

        As we look ahead, cybersecurity management is poised to evolve significantly. Enterprise executives should keep an eye on emerging trends such as Zero Trust architectures, greater emphasis on user education and the use of artificial intelligence and machine learning (AI/ML) technologies in threat detection and response.

        By embracing these changes and rethinking their approaches, organizations can better prepare themselves for the realities of today’s cyber threats. Engage in conversations about security that transcend the IT department and involve the entire organizational ecosystem. After all, in a world where cyber threats are ubiquitous, cybersecurity is indeed everyone’s responsibility.

        Regards,

        Jeff Orr

        Jeff Orr
        Director of Research, Digital Technology

        Jeff Orr leads the research and advisory for the CIO and digital technology expertise at ISG Software Research, with a focus on modernization and transformation for IT. Jeff’s coverage spans cloud computing, DevOps and platforms, digital security, intelligent automation, ITOps and service management, intelligent automation and observation technologies across the enterprise.

        JOIN OUR COMMUNITY

        Our Analyst Perspective Policy

        • Ventana Research’s Analyst Perspectives are fact-based analysis and guidance on business, industry and technology vendor trends. Each Analyst Perspective presents the view of the analyst who is an established subject matter expert on new developments, business and technology trends, findings from our research, or best practice insights.

          Each is prepared and reviewed in accordance with Ventana Research’s strict standards for accuracy and objectivity and reviewed to ensure it delivers reliable and actionable insights. It is reviewed and edited by research management and is approved by the Chief Research Officer; no individual or organization outside of Ventana Research reviews any Analyst Perspective before it is published. If you have any issue with an Analyst Perspective, please email them to ChiefResearchOfficer@isg-research.net

        View Policy

        Subscribe to Email Updates



        Analyst Perspectives Archive

        See All