The Deputy CISO blog series is where Microsoft  Deputy Chief Information Security Officers (CISOs) share their thoughts on what is most important in their respective domains. In this series, you will get practical advice, tactics to start (and stop) deploying, forward-looking commentary on where the industry is going, and more. In this blog you will hear directly from Microsoft’s Deputy Chief Information Security Officer (CISO) for Government and Trust, Tim Langan, about our mindset concerning cyber defense for government spaces.

When taking on the challenge of cyber defense for government, you have to first understand the severity of the cyberthreat landscape. While private businesses are routine targets of a diverse set of threat actors, breaching government entities is frequently an objective for powerful state-sponsored threat actors. And the focus of these extremely well-funded groups goes beyond national governments; state and local governments are regularly targeted as well, often with high rates of success. This is a new status quo for everyone who touches government mission spaces, and it’s a reality that isn’t likely to go away any time soon.

The cyberthreats we face today will look and act differently next month and next year. As threats evolve, we must evolve to face them. In order to meet threat actors where they are today and to best plan for what they will be capable of in the future, Microsoft is taking a comprehensive look at how we approach cyberthreats across our entire landscape. In the months since joining Microsoft as Deputy CISO for Government and Trust, countering this type of persistent, advanced cyberthreat in the government space has been my focus. In real world terms, this means not only examining every detection, every alert, and every security tool with a critical eye, but also looking at how we fundamentally approach cyber health, security practices, and organizational partnerships, starting from the ground up.

The nature of the cyberthreats we face

Threat actors and nation-state actors from every region are increasingly targeting cloud assets with greater sophistication and persistence. In response, we are strongly emphasizing the shift from reactive to more proactive cyber defense measures. This strategy, known as “defend forward,” where Microsoft actively seeks out and mitigates cyberthreats, promotes continual identification and response before cyberthreats can impact Microsoft or our customers. Through Microsoft’s Cybersecurity Governance Council model, we can promote deep integration between the teams with greatest visibility into emergent cyberthreats and the leaders accountable for delivering secure outcomes across Microsoft.  

Another critical component of getting ahead of threats is a continual commitment to open communication with customers, government partners, and even industry counterparts when it comes to cyberthreats. This helps us enhance the security of the global computing ecosystem as a whole. This approach—proactive, collaborative, and transparent—is crucial to remaining ahead of sophisticated, evolving cyberthreats. That also means we need to work together consistently within Microsoft to ensure each one of us is making security part of how we work every day.

As my office expands its engagements with the government, we are committed to listening to our customers’ security needs, increasing our opportunities to share threat information, and hearing their security priorities and challenges first-hand. Internally, because we’ve increased focus on partnerships, we can communicate security perspectives directly into engineering prioritization and planning cycles. This also allows us to more rapidly share cyberthreat information and actions. Every time we learn something new through threat detection and response in one arena, the combination of solutions and tactics we used to counter that cyberthreat can be more readily applied for everyone.

Accelerating secure solutions

As Deputy CISO for Government and Trust, I have the opportunity to be an evangelist for cybersecurity as an accelerator for our government customers. Improving our internal security practices through programs like the Secure Future Initiative means applying security principles consistently across all domains, including high compliance scenarios like United States Federal and Defense sectors. The idea of “secure by design” means integrating security and compliance elements into our development process. Concepts like “paved paths,” where cybersecurity is embedded into established development pathways, also streamline the development process and incentivize engineers to adopt security best practices. When we think about security and compliance as “built-in” versus “bolt-on,” we create the potential of meeting government security and regulatory requirements much earlier in the process, meaning we have opportunities to securely accelerate delivery of products, tooling, and protections to government customers of all sizes. 

The unique perspective of the Cybersecurity Governance Council  

Prior to coming to Microsoft, I was responsible for the FBI’s Criminal, Cyber, Crisis Response and International Operations divisions, along with Victim Services. Even as my role has changed, I understand that the mission and key elements for strong cyber defense remain the same. Cybersecurity is the ultimate team sport, and as a Deputy CISO, I’m uniquely positioned with my fellow Deputy CISOs to share information and research, keeping the lines of communication open around the clock. Collaboration and transparency in this way are pillars of Microsoft’s cybersecurity mission to ensure a comprehensive defense against cyberthreats, and really they’re also critical to establishing a basis of trust with our customers. In 2024, Microsoft Chief Executive Officer Satya Nadella wrote “We recognize that trust is earned, not given. And we remain committed to earning trust every day, spanning cybersecurity, trustworthy AI, privacy, and digital safety.”¹ These words are a North Star guiding the ways we think about delivering security and innovation to our government partners, and above all, in supporting our customers in their security journeys.

Learn more

To hear more from Microsoft Deputy CISOs, check out the OCISO blog series. To stay on top of important security industry updates, explore resources specifically designed for CISOs, and learn best practices for improving your organization’s security posture, join the Microsoft CISO Digest distribution list.

Learn more about the Microsoft Secure Future Initiative.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Microsoft 2024 Annual Report