In December, Quorum Cyber hosted a fireside chat-style webinar to guide attendees through Microsoft’s Secure Future Initiative (SFI), which puts ‘security above all else’, and recommend how organisations can apply the lessons of SFI to strengthen their cyber security and cyber resilience.  

John Dellinger, our Head of Advisory, and Jackson Gray, a Solutions Architect, were joined by Lesley Kipling, Chief Security Advisor at Microsoft, and a member of Quorum Cyber’s Strategic Advisory Board (SAB). 

The SFI sets a security culture and governance to underpin everything that the company does. SFI’s three core principles are: 

• Secure by Design 

• Secure by Default 

• Secure Operations 

“SFI is how we prioritise our security strategy at Microsoft,” said Lesley. “SFI is the priority for the zero-trust initiative.”  

“We have to think about all the challenges that face everybody,” she said. “We have to think about collective defence because today we’re a hyperscale cloud provider. And we have to think about how attackers think about it, too.” 

Through changing its culture around security, Lesley revealed that Microsoft has moved away from having only one Chief Information Security Officers (CISO) to having almost 20 deputy CISOs “because today the role of the CISO is very challenging and organisations are so complex”.  

She added that one of the things the company did to make sure that SFI embodied a company-wide security change was to link security-based Key Performance Indicators (KPIs) to employees’ rewards and bonuses.  

“We try to drive a security-first culture so that everybody feels like they’re involved in securing the ecosystem.”  Security thinking must be ingrained into everyday actions and behaviours for its 220 employees, many of whom are engineers and developers. 

Security is a continuous journey

John emphasised that “security is a journey, not a destination”, so it never has a fixed end-date like a project: “SFI is not a once-a-year check-in but a continuous improvement. If you follow the SFI roadmap, you will gain compliance and stay compliant.” 

He added that, “there are plenty of things that customers benefit from with Microsoft’s SFI journey” and “we can emulate our own SFI journey.”   

SFI’s six engineering pillars 

Jackson covered the engineering pillars that align with SFI and that can be implemented within a few weeks. 

• Protect identities and secrets: “Implement a use review audit to check inactive users, what they have access to, and what their privileges are” 

• Protect tenants and isolate production systems: “Assign tenant ownership to a specific administrator(s)”   

• Protect networks: “Audit and document any external-facing assets your organisation has, including firewalls” 

• Protect engineering systems: “Check that there are no credential leaks or vulnerabilities” 

• Monitor and detect threats: “Retain 90 days of logs so that you can establish a baseline of what’s business as usual” 

• Accelerate response and remediation: “Conduct a quarterly tabletop exercise”. 

Learn more about Microsoft’s SFI and how to use it

You can watch the full 45-minute webinar for free on our website to delve deeper into the practical exercises your organisation can take to embed a security-first culture.  

If you wish, you can download Microsoft’s November 2025 SFI Progress Report.  

Contact us if you would like to discuss any aspects of your cyber security requirements.