Microsoft names new CISO in a major security shakeup

In a new leadership reshuffle, Microsoft has appointed Igor Tsyganskiy as its new Chief Information Security Officer (CISO), effective from 1st January 2024. Tsyganskiy, who joined Microsoft four months ago as Chief Strategy Officer, will replace Bret Arsenault, who held the CISO position for 14 years. 

Charlie Bell, Microsoft's Executive Vice President of Security, stated on LinkedIn that the decision to restructure the company's security leadership is part of Microsoft's Secure Future Initiative. This internal program, introduced by Microsoft in November, aims to enhance the security of its wide range of software offerings. 

In a blog post on December 5, Charlie Bell announced that as part of the company's new strategic focus on security, Bret Arsenault will be transitioning out of his longstanding role as CISO and into a position as Chief Security Adviser. Igor Tsyganskiy will assume the CISO role in the New Year, according to Bell. 

"Bret will concentrate on expanding our impact across the entire ecosystem: Microsoft, partners, customers, government agencies, and important communities," Bell wrote. "I am also delighted to welcome Igor into the CISO role. Igor is a technologist and dynamic leader with an impressive career in high-scale/high-security environments."

According to his LinkedIn profile, Arsenault has been with Microsoft since 1990. He started as a senior engineer before holding various security positions, ultimately being appointed as Microsoft's CISO in October 2009.

Prior to joining Microsoft, Tsyganskiy served as Chief Technology Officer at Bridgewater Associates LP, a hedge fund that caters to institutional clients such as pension funds, endowments, foundations, foreign governments, and central banks. Before that, Tsyganskiy worked as Senior Vice President of Product Management at Salesforce Inc. and headed the Advanced Technology Group at SAP SE. 

The change in CISO comes as Microsoft becomes increasingly optimistic about technologies like artificial intelligence (AI), which must be developed with a strong focus on cybersecurity. At the core of the Secure Future Initiative is a commitment to reducing vulnerabilities within Microsoft's product ecosystem. The company plans to increase the use of memory-safe programming languages like Java, C#, and Python, which minimize the risk of specific bugs that can be exploited by cyber-attackers. 

Microsoft is also adopting CodeQL, an open-source tool developed by GitHub for automated vulnerability scanning in code, and streamlining its threat modeling processes. Through the use of a remediation methodology called dSDL, which integrates continuous integration and continuous delivery software, Microsoft aims to double the speed at which vulnerabilities in its cloud services are fixed by accelerating the deployment of security patches. 

"So much of the world relies on Microsoft for its digital safety, and we only need to look at the news headlines to understand that we live in a rapidly evolving threat landscape, one that is highly demanding and drives us to constantly innovate and deliver," said Bell on LinkedIn. "Navigating all of this requires a tremendous amount of leadership expertise and experience." 

Bell added that Tsyganskiy brings "deep knowledge and experience from his previous role outside of Microsoft, and I am excited to continue collaborating with him on this important work." 

Technology news site Benzinga further reported that the shakeup also included Aanchal Gupta, Microsoft's Deputy CISO, who was expected to take over from Arsenault. Gupta has been moved to the role of Technical Adviser to Ales Holecek, Microsoft's Corporate Vice President of the Office Product Group in the Experiences and Devices division.