With cyber threats looming larger than ever, companies are racing to fortify their digital defenses. Microsoft, the titan of a technology company, has not been immune to such threats. Following a spate of high-profile cyberattacks that sullied its reputation, it has taken decisive action to interweave the financial incentives of top executives with the cybersecurity performance of the company. Instead, it is a pioneering approach that focuses not on data protection, but on creating a culture of security that saturates every level of the organization.
Microsoft’s announcement follows a new turn in how corporate accountability is approached in cybersecurity, as the company will tie executive compensation to the company’s security performance. It comes after some bad times for Microsoft-the object of a series of advanced cyberattacks by groups such as Storm-0558 and Midnight Blizzard. These incidents have revealed not just the vulnerabilities within Microsoft’s systems, but also how seriously the company is taking its security with regard to customer data and infrastructure.
Microsoft’s CEO, Satya Nadella, has been vocal about his company’s renewed focus on security, declaring, “Microsoft is putting security above all else.” The declaration is no doubt recognition by the company itself of the critically important aspect that is cybersecurity in today’s connected world. That commitment has taken many shapes, but one of the clearest manifestations of it so far is the Secure Future Initiative, announced this past November and expanded since. “Accountability starts at the top,” said Charlie Bell, EVP of Microsoft Security, in a blog post announcing that compensation for the Senior Leadership Team is now tied to certain key security milestones.
The publication of pay linked to security outcomes represents a pretty bold step forward, and while the exact particulars of the arrangement remain proprietary, it serves to send a strong message to the general industry and Microsoft’s workforce. By tying a portion of executive bonuses to security performance, Microsoft is, in effect, stating that protection against cyber threats is not an IT issue but a business imperative that deserves attention and action from the topmost echelons of leadership.
The strategy comes in concert with suggestions from the Department of Homeland Security’s Cyber Safety Review Board that put the finger on Microsoft for security practices described as “avoidable errors.” The March report was a bit of a wake-up call, to say the least, in that it furthered the need for Microsoft to take a hard look at its security culture and practices. Microsoft has since unveiled a new security governance framework championed by its new Chief Information Security Officer Igor Tsyganskiy. This framework aims to empower the engineering teams in a partnership with each Deputy CISO to manage the SFI, assess the risks, and report directly to the Senior Leadership Team.
Several major security lapses in the past place a premium on Microsoft getting this right. Data from many customers, including US federal agencies, was collected unauthorized when Microsoft’s Azure service was hit by the Storm-0558 attack. In the Midnight Blizzard breach, too, a test account was compromised, leading to long-term access to Microsoft’s systems. It has caused not only severe financial and reputational damage but also sharp criticism from security experts, lawmakers, and regulatory bodies.
Microsoft has outlined a comprehensive plan to bolster its cybersecurity posture.
It has articulated three security principles-‘secure by design,’ ‘secure by default,’ and ‘secure operations’-and six security pillars covering the various weaknesses of systems and developments. Other planned enhancements include multi-factor authentication for all user accounts, least-privilege access, enhanced network monitoring, and two-year retention of security logs. Microsoft will also embed Deputy CISOs within engineering teams to ensure security features become part of every part of the company’s function.
Changes Microsoft has already made include automatically enforcing multifactor authentication for over a million of its Entra ID tenants and removing hundreds of thousands of outdated or insecure applications. It has moved, too, to the Common Weakness Enumeration standard with its security disclosures-a good omen that it’s serious about transparency and continuous improvement.
But beyond those purely technical measures, Microsoft’s corporate culture is shifting. An internal memo obtained by The Verge from CEO Satya Nadella drives home that-to the extent necessary-security must be put above other business considerations-like adding new features. “If anyone ever asks you if you’d rather take security over some other feature,” Nadella writes, “the answer is yes.”.
The shift in Microsoft’s approach reflects a wider trend in corporate-land. A small but increasing number of firms is beginning to link executive compensation to cybersecurity goals. Last year saw similar moves by Johnson & Johnson, the London Stock Exchange Group, and the Paragon Banking Group, among others-a recognition that cybersecurity is not just a technical problem but also a business one that requires leadership accountability.
This has become an extremely challenging task in the modern-day practice of integrating cybersecurity metrics into executive pay, since causes for data breaches are often too multivariated to predict. That said, it is worth noting that this emergent practice does stand to mean that boards and stakeholders may increasingly insist on accountability for cybersecurity outcomes. Although it may just be too early to determine whether this is going to be some kind of mainstream trend, Microsoft’s move, and that of any other forward-thinking company, may well light the way to a new standard in corporate cybersecurity governance.
The company is rectifying past errors and prioritizing security in its business strategy.
The effort to link executive pay to cybersecurity performance is a bold experiment in corporate accountability with far-reaching implications for the industry and beyond: Microsoft’s SFI responds to security breaches and sets an industry precedent with pay linked to security.
SFI is a wide range of strategies that has been required to cope with the multidimensionality of cybersecurity. It has been based on three main principles of security, including ‘secure by design’, ‘secure by default, and ‘secure operations’. Six pillars of security have further supported the three principles in strengthening Microsoft systems against cyber threats. These six pillars would focus on user authentication and access control, network monitoring, and data retention.
The addition of deputy CISOs has ensured security in development, oversight of security pillars, and direct reporting to leadership-managing to make security a top priority. Some of the steps taken include multi-factor authentication, cleaning up apps, adopting CWE, and the CEO himself having sent out a memo that makes security a higher priority than developing new features to make the environment safer.
Microsoft’s approach to cybersecurity is reflective of a broader trend in the corporate world.
The linking of executive compensation to cybersecurity goals is gaining traction, with companies like Johnson & Johnson, the London Stock Exchange Group, and Paragon Banking Group leading the way. This trend indicates a growing recognition of the importance of cybersecurity in business operations and the need for leadership accountability.
Linking cybersecurity metrics to executive pay is complicated, as the causes of data breaches are multifaceted and generally unpredictable, but the practice does indicate a growing demand by stakeholders and boards for accountability in cybersecurity outcomes. It may be too early to say if it will result in a new trend, but Microsoft’s action and others like it could raise a new bar in corporate cybersecurity governance.
It’s another good example of how Microsoft has to square its admirable transparency with sometimes untenable sensitivity. Workers at Microsoft have been preparing for a salary freeze and bonus cut, after being warned as much by Nadella himself back in January. However, according to the guidance leaked to Insider, managers are advised to lead any conversations around compensation with the value of employee work product rather than the constraints of the budget.
This would be a huge leap on Microsoft’s journey into cybersecurity. It also goes to show from Microsoft’s side that cybersecurity, by compensation being related with executive performance, is a must-have of the business. Its principles and pillars would serve as guidelines toward a more secure digital world. And it has the required involvement of Deputy CISOs in place for security to stand tall inside. Whereas Microsoft, among many others, keeps innovating in cybersecurity governance, accountability may start to shift to more accountability in defense against cyber threats.
Related posts:
Microsoft is tying executive pay to security performance — so if it gets hacked, no bonuses for anyone
Microsoft ties executive pay to security following multiple failures and breaches
Damaging hack? Compensation could be in the balance
