Security as mindset: The impact of Microsoft's Secure Future Initiative
The impact of Microsoft's Secure Future Initiative on everything.
Intro
The Microsoft Secure Future Initiative (SFI)…, “The what?“. Yup, that’s how it often goes in a conversation with customers and also with fellow tech-minded people. This post is not for those who know all about this topic, but perhaps it’s worth sharing when experiencing this next time you have this situation as well.
In this blog, we’ll dive into what it is and why it is a fundamental change in reasoning and habits.
Microsoft’s Secure Future Initiative
Let’s get back to the beginning. Microsoft started this Initiative in November 2023.
It was not a real surprise after Microsoft embraced Zero-trust back in 2018, but this change in mindset was interesting. It was a reaction to the increasing scale and impact of cyberattacks, focusing on the whole firm and on improving cybersecurity in all of Microsoft’s products.
Microsoft built the SFI on 3 principles:
Secure by Design
Security comes first when designing any product or service.
Secure by Default
Security protections are enabled and enforced by default, require no extra effort, and aren’t optional.
Secure Operations
Security controls and monitoring will be continuously improved to meet current and future cyber threats.
SFI goes beyond just technology. It also includes a commitment to transparency—openly sharing progress and incidents—and working closely with customers, partners, and regulators to raise the security bar for everyone.
There’s one more aspect that deserves attention: Continuous improvement. The lesson here is clear. You never just configure and walk away. Security settings, posture, and compliance need regular reviews and updates. In the cloud, these improvement cycles are much shorter than on-premises. And let’s be honest, on-premises needs these cycles too.
And Microsoft is taking this approach themselves, even if some changes mean reworking existing processes. If you’re looking for someone who covers these updates for Entra, Merill Fernando is a great source of inspiration.
The initiative got me thinking. In the past, security was often something you handled at the end of a project or as an afterthought. With Zero Trust and now SFI, the mindset shifts to building security right into the architecture and design phase and making it part of daily operations. Even small changes to a single setting can have security implications you need to consider.
Another question that comes up: how do you manage all of this? You have to keep up with continuous improvements on one hand, and configuration changes for workability or best practice advice on the other. That’s why I’m convinced you need at least a backup or versioning solution for your tenant configuration items. I saw a post on LinkedIn advising this, partly as a protection against threats like ransomware. I’d add that you also need this for continuous improvement. For example, you can recover from misconfiguration or keep track of new settings rolled out by Microsoft.
Change in mindset
Adopting the Secure Future Initiative is really about a change in mindset. It’s not just another policy or technical setting to tick off, but a shift in how you look at your entire environment. In some ways, it’s like learning a new skill or building better habits: you have to practice, repeat, and adapt before it becomes second nature. But I am heavily convinced this change in mindset is necessary for both MSP companies as well as companies with IT departments.
Security can no longer be a checklist at the end of a project or a siloed IT responsibility. You need a holistic approach that connects technology, people, and processes. Without this, gaps will appear—sometimes in places you least expect—and attackers are quick to exploit them.
Never forget: collaboration between teams, in-Cloud as well as between on-prem and Cloud is crucial. We, as tech-minded people, need to build solutions that are modular and scalable so we can adapt quickly to changing situations.
This story isn’t just for the enterprise. If you’re a C-level executive, ask yourself: are we still relying on old habits, or are we equipping our teams to anticipate what’s coming next? And for SMBs, the risks are just as real. Smaller organizations are often targeted exactly because attackers know defenses can be inconsistent. SFI isn’t about the size of your company; it’s about raising your baseline and staying resilient.
A final key point: don’t underestimate the human factor. Security adoption only works if end users understand the “why” behind the changes. Invest in user adoption and engagement, create clarity, and make security part of the company culture, not just an IT rulebook. When people understand the purpose, you’ll find much more engagement and support.
Closing
The Secure Future Initiative isn’t just a vision; it’s a practical guide for daily work. Start by making security part of every project and every conversation, from IT to management to end users. Review your settings and configurations regularly, invest in user adoption, and make sure there’s clear ownership of security across the organization. And remember: don’t present security as just a list of things people can’t do, but as an enabler for working safely and efficiently together.
No matter your size, taking these concrete steps will help you keep pace with new threats and stay ahead. Use SFI as a framework, but don’t hesitate to combine it with other standards like CIS, NIST, or your industry-specific requirements. That way, every team can take real action to build a safer, more resilient digital environment, without losing flexibility or productivity.