Use Microsoft’s internal cyber risk management to benchmark your own organisation

As a cyber and information technology leader, Microsoft has evolved a comprehensive, streamlined risk management system. This system covers all aspects of the company’s activities, including cyber, with principles and practices that are applicable to organisations of different sizes.

Designed for simplicity and effectiveness, Microsoft’s approach makes it easy to take cyber risk and cybersecurity decisions. It also strikes a balance between an overall organisational level view of cyber risk, and cyber risk that is specific to individual business groups. Above all, it turns theory into reality with a risk-based approach to cybersecurity that will be relevant for many other organisations.

The big risk picture

Today’s risk management landscape can be highly varied. For Microsoft, for example, risk management challenges include cyber, software and service quality and availability, data privacy, financial reporting, regulatory reform, market instability, corruption, and geopolitical turmoil.

Start with smart organisation

At Microsoft, risk management is the foundation of our security efforts. It starts with the Microsoft board of directors and devolves down through senior leadership to business units and teams. Our security governance model gives us a consistent approach to top and emerging security risks impacting Microsoft.

Microsoft has the following dedicated structures in place for risk management:

• The Information Risk Management Council (IRMC) identifies top risks, forms working groups, recruits executive sponsors, and keeps the board appraised of developments.
• The Audit, Risk & Compliance (ARC) centre of excellence provides advisory, audit, and investigative services. It oversees technologies, methodologies, and optimisation, including listening systems and the use of applications like Power BI for analytics and insights.

Risk management for information protection

We have three pillars of information protection: identity management, device health, and data and telemetry. We balance this protection with risk management and assurance. Threat intel gives us input for identifying and assessing cyber risk, through definitions of threat scenarios, threat actors, and attack capabilities.

We then define ongoing objectives and supporting services. For example, we have an ongoing objective of accelerating cloud security capabilities. Services to support this objective include app and infrastructure security, external assessments, and red team penetration testing.

Tools for risk management decisions and implementation

We use row-and-column matrices of information to assess our coverage of attack stages versus types of attack. Risk management readiness can be easily shown by using colours for each attack stage/attack type pair to show levels of protection. For example, green indicates readiness of 75% or more, yellow corresponds to 50 to 75%, and red shows 0% coverage.

We also use enterprise security scorecards (ESS) to align information on risk categories, security actions, and metrics to show progress. For example, for identity management (a cyber risk category), a security action is to make accounts use zero trust and exclude interactive logon rights. The metric to show progress is then the number of accounts functioning without interactive logon rights.

Being pragmatic to be effective

Our enterprise risk management framework is aligned with the goals or objectives of Microsoft as an organisation globally. This risk management framework is also contextualized for specific business groups. Specific controls may be used per business group for the identification, assessment, response, and monitoring for a given risk. We then communicate this business group-level information back up to the enterprise level for a unified organisational view.

A model relevant for other organisations

While the risks affecting Microsoft may differ from those for other enterprises, the principles and best practices adopted by Microsoft are applicable to many other organisations, regardless of size. You might like to consider the Microsoft risk management architecture as a scalable model for your own business.