Microsoft CEO Satya Nadella says the company needs a 'culture change' after security failures

• Microsoft CEO Satya Nadella called for a culture change amid the company's security challenges.
• The company has contended with the global CrowdStrike outage and vulnerability to Chinese hacks.
• Microsoft has accepted responsibility for security flaws, acknowledging breaches by hackers.

Microsoft, the world's largest software maker, doesn't have the best track record regarding security.

Microsoft CEO Satya Nadella says the company needs to change that. "That's what will be culture change," he said in a recent Wired interview.

Microsoft has faced a series of high-profile cybersecurity challenges over the past year.

In July, the company was at the center of a global IT outage caused by a faulty update from cybersecurity firm CrowdStrike. In March, a report from the US Department of Homeland Security flagged Microsoft's security systems as inadequate and called for an "overhaul," noting that the company was particularly vulnerable to attacks from a Chinese hacking group called Storm-0588.

Brad Smith, vice chair and president of Microsoft, acknowledged these flaws in a written statement to the Department of Homeland Security in June. "Before I say anything else, I think it's especially important for me to say that Microsoft accepts responsibility for each and every one of the issues cited in the CSRB's report," he wrote.

Earlier in the year, Microsoft said that its systems had also been compromised by the Russian hacking group Midnight Blizzard, which accessed a "very small percentage" of corporate email accounts. This group was also responsible for the 2020 attack on SolarWinds, a major IT firm that counts Microsoft as one of its primary clients.

Since taking the helm in 2014, Nadella has been known for leading empathetically and emphasizing that change wouldn't come from blaming employees. "This is not about a witch hunt internally at Microsoft," he told Wired. However, he said that "perverse incentives" often lead companies to prioritize product development over securing existing products.

That mindset may have played a role in the SolarWinds attack. A ProPublica report in June found that Microsoft knowingly hid a security flaw in one of its services to avoid jeopardizing its chances of securing government investment in its cloud business. The flaw was later exploited by the Russian hackers behind the attack.

Microsoft did not immediately respond to a request for comment from Business Insider.