Microsoft ties pay for top bosses to meeting cybersecurity goals

Microsoft Corp announced new anti-hacking initiatives, including basing a portion of senior leaders’ compensation on meeting cybersecurity milestones, following harsh criticism of the company for failing to contain several serious attacks.

Microsoft said it’s also prioritising security over new feature development and adding cybersecurity chiefs to its product groups. Chief executive officer Satya Nadella was scheduled to send a companywide email Friday outlining the new measures and reinforcing the notion that security is “job #1”.

Microsoft in November unveiled the Secure Future Initiative, its most significant security plan since co-founder Bill Gates halted Windows development in 2002 and ordered engineers to prioritise product safety over new features. But a scathing report by a government cybersecurity panel last month described Microsoft’s security culture as inadequate and some rivals, government officials and customers have questioned whether the recent overhaul went far enough.

“We must and will do more,” Microsoft security chief Charlie Bell wrote in a blog Friday. “We are making security our top priority at Microsoft, above all else – over all other features.”

As part of that, the company is expanding the scope of the Secure Future Initiative, he said, integrating recommendations from the government panel’s report as well as lessons gleaned from a recent breach tied to Russian state-sponsored hackers.

The company’s security approach, Bell said, will be guided by three principles: security comes first when designing any product or service; security protections are enabled and enforced by default, requiring no extra effort and are not optional; and security controls and monitoring will be continuously improved to meet current and future threats.

“Culture can only be reinforced through our daily behaviours,” Bell said. The deputy chief information security officers will report to Igor Tsyganskiy, who became global chief information security officer in December, one month after Microsoft announced its security overhaul.

Ann Johnson, a Microsoft security executive since 2015, has been named deputy CISO for customer outreach and regulated industries and also will report to Tsyganskiy. Johnson’s role will focus on “customer engagement and communication about Microsoft’s own security,” the Redmond, Washington-based company said in an email.

Early this year, a Russian state-sponsored group was blamed for combing through the email accounts of top Microsoft executives – prompting the company to reassign thousands of engineers to help mitigate the intrusion and accelerate security updates. In May 2023, a hacking gang allegedly linked to the Chinese government was accused of stealing one of Microsoft’s access tools and using it to break into the email accounts of US Commerce Secretary Gina Raimondo, US Ambassador to China Nicholas Burns and hundreds more.

On Friday, a German official said Russia-backed hackers exploited a previously unknown flaw in Microsoft Outlook to breach government departments, companies and officials in Chancellor Olaf Scholz’s Social Democratic Party.

Last month, the US Cyber Safety Review Board issued a withering report documenting the company’s inability to stop the China-linked hack and calling on Microsoft to institute urgent reforms. US Senator Ron Wyden introduced draft legislation on April 8 that would require the government to set mandatory cybersecurity standards for collaboration software, citing Microsoft’s “shambolic cybersecurity”.

The latest set of changes are meant to address the issue of how to give each product group a focus on security as they move to add new features and box out competitors in fields like artificial intelligence. Nadella said last week on a call with investors that the company is now “putting security above all else”. – Bloomberg