Microsoft CISO, Deputy CISO Reassigned in Management ShakeupFormer Bridgewater CTO Igor Tsyganskiy Named CISO in Wake of Chinese Email Hack
Microsoft has demoted its CISO after 14 years on the job, reassigned its deputy CISO and named Igor Tsyganskiy - a former CTO at Bridgewater Associates who just joined Microsoft four months ago as chief strategy officer - as its new chief information security officer. The shakeup comes on the heels of a high-profile breach of U.S. government Office 365 email accounts by Chinese nation-state hackers detected in July.
Charlie Bell, executive vice president of security at Microsoft, announced the staff changes on LinkedIn, thanking longtime CISO Bret Arsenault for "establishing a strong security culture" at Microsoft but adding that the company needs to "evolve and adapt our approach."
Effective Jan. 1, Arsenault will move to a chief security adviser role and Tsyganskiy will begin as CISO. The moves come amid an investigation by the U.S. Department of Homeland Security into the hacking of email accounts tied to 25 different organizations, including the departments of State and Commerce, by a China-based espionage hacking group.
Bell said Tsyganskiy will lead Microsoft's new Secure Future Initiative, which was unveiled last month to address criticism of Microsoft cloud security and numerous zero-day vulnerabilities in its software products and operating system that have been exploited in the wild.
"So much of the world depends on Microsoft for its digital safety, and we need look no further than the news headlines to know we live in a rapidly evolving threat landscape, one that is highly demanding and drives us to continually innovate and deliver," Bell said. "The speed, sophistication and scale of cyberattacks is accelerating. This requires a new focus."
Tsyganskiy, described by Bell as "a technologist and dynamic leader with a storied career in high-scale/high-security, demanding environments," spent the last seven years at Bridgewater Associates, an investment management firm, as CTO and head of investment technologies and critical infrastructure. He previously led product management at Salesforce and the advanced technology group at SAP. Near the beginning of his career, Tsyganskiy architected data analytics software Tealeaf before it was sold to IBM in 2001.
"I am humbled and honored to take a responsibility of protecting Microsoft with a large and dedicated community of security professionals all over the world," Tsyganskiy wrote on LinkedIn.
As security adviser, Arsenault "will focus on escalating our impact across the entire ecosystem: Microsoft, partners, customers, government agencies, and important communities." His former deputy CISO and corporate vice president, Aanchal Gupta, announced in a LinkedIn post her reassignment to the firm's "experiences + devices" business unit where she will help "shape the future of our M365 products." Gupta was relatively new to Microsoft, having taken a job in Azure cloud security in 2020 after a four-year stint as security director at Meta.
Microsoft brought in Bell to lead its security program in 2021 after he had spent 23 years at AWS. As Microsoft cloud and security businesses have charted double-digit grown in recent years, security issues with Microsoft products have followed.
The Redmond company admitted that a trail of errors had led to the Chinese hacking incident, starting with the theft of digital signing keys that allowed hackers to create their own authentication tokens to access cloud-based Outlook email accounts. In 2022, Microsoft disclosed that the Lapsus$ ransomware group had accessed some of its source code after hackers compromised an account, but it said the code wasn't sensitive.
Microsoft products and operating systems have served as prime targets for hackers because of their widespread use in both public and private sector organizations. This summer, Microsoft alerted customers of multiple critical zero-day vulnerabilities affecting Internet Explorer and versions of the Windows operating system, prompting the company and the U.S. Cybersecurity and Infrastructure Security Agency to urge for immediate patching.