Microsoft says cybersecurity overhaul will impact top execs’ pay

Dive Brief:

Microsoft said Friday that it plans to base part of the compensation of its senior leadership team on the company’s progress in meeting cybersecurity objectives and milestones.
The step is part of a broader effort by Microsoft to alleviate concerns about its reliability as a cybersecurity company in the wake of a blistering report from the Department of Homeland Security’s Cyber Safety Review Board.
“Ultimately, Microsoft runs on trust and this trust must be earned and maintained,” Charlie Bell, executive vice president at Microsoft Security, said in a blog post. “As a global provider of software, infrastructure, and cloud services, we feel a deep responsibility to do our part to keep the world safe and secure.”

Dive Insight:

The news was welcomed by Homeland Security Secretary Alejandro Mayorkas.

“Microsoft’s full cooperation with the Board’s review helped create the tangible recommendations that will benefit not only Microsoft’s customers, but also the public at large that depends on the security of cloud services,” Mayorkas said in a press release.

Microsoft’s announcement comes on the heels of a CSRB report in early April in which the company was harshly criticized for its response to the summer 2023 hack of Microsoft Exchange Online.

The report said the attack — which led to the theft of 60,000 emails at the State Department and the hack of Commerce Secretary Gina Raimondo’s email account — was “preventable and should never have occurred.” The board also concluded that Microsoft’s security culture was inadequate and required an overhaul, particularly in light of the company’s central position in the technology ecosystem.

“To drive the rapid cultural change that is needed within Microsoft, the Board believes that Microsoft’s customers would benefit from its CEO and Board of Directors directly focusing on the company’s security culture and developing and sharing publicly a plan with specific timelines to make fundamental, security-focused reforms across the company and its full suite of products,” the report said. “The Board recommends that Microsoft’s CEO hold senior officers accountable for delivery against this plan.”

The findings came the same week as Microsoft’s disclosure in January that it detected a cyberattack against its corporate email systems. The incident was attributed to a Russian state-sponsored actor known as Midnight Blizzard.

In his blog post, Bell said Microsoft was adopting recommendations from the CSRB report as part of an expansion of the software giant’s Secure Future Initiative, a plan launched last November to grapple with rising cyberthreats. He said the board’s findings, coupled with the Midnight Blizzard attack, “underscore the severity of the threats facing our company and our customers.”

Without elaborating, he said Microsoft is seeking to “instill accountability” by basing at least part of top executives’ compensation on whether cybersecurity objectives are achieved. A Microsoft spokesperson declined to share further details, saying “stay tuned.”

The company is also implementing a new security governance framework spearheaded by the chief information security officer, Bell wrote. The framework introduces a partnership between engineering teams and newly formed deputy CISOs, collectively responsible for overseeing the Secure Future Initiative, managing risks, and reporting progress directly to the senior leadership team, he said.

In addition, the company’s engineering executive vice presidents are now holding broadscale weekly and monthly operational meetings that include all levels of management and senior individual contributors, according to the blog post.