Microsoft is taking steps to prevent cybersecurity attacks following a recent uptick in breaches by foreign actors, and the company says employees will play a central role in these efforts.
The tech firm was subject to two cyberattacks in the past year that attracted the attention of the Department of Homeland Security (DHS): Last July, Chinese hackers infiltrated government email accounts, and in March, Microsoft said hackers backed by the Russian state were able to access “the company’s source code repositories and internal systems.”
The first attack prompted a report by DHS’s Cyber Safety Review Board, which found Microsoft’s security culture was “inadequate,” and provided recommendations for the company to prevent such attacks in the future. In a June 13 Congressional hearing, Vice Chair and President Brad Smith said the company was following these recommendations, and called them “a clarion call for stronger action for every employee who works at Microsoft.”
How Microsoft will track employee contributions to cyber goals. To promote accountability on cybersecurity among Microsoft’s workforce, the company is tying its goals to executive pay, as well as making them a part of employee performance reviews.
In March, Microsoft said part of senior leaders’ compensation would be based on how they meet “security plans and milestones” laid out in the company’s Secure Future Initiative, which aims to improve cybersecurity practices based on recent incidents. Starting July 1, one-third of each senior leader’s individual performance evaluation for their bonus will be tied to cybersecurity, according to a June 13 blog post from Smith.
Security will also be part of biannual reviews for all Microsoft employees, who will be asked to discuss their cybersecurity contributions with their managers. It will be considered in annual bonus and compensation decisions, Smith wrote.
Quick-to-read HR news & insights
From recruiting and retention to company culture and the latest in HR tech, HR Brew delivers up-to-date industry news and tips to help HR pros stay nimble in today’s fast-changing business environment.
Why more companies are tying executive pay to cybersecurity. Microsoft’s decision to base bonus decisions partly on cybersecurity is part of a growing trend in the world of executive pay. Some 12% of Fortune 100 companies disclosed that cybersecurity or privacy issues were a consideration in determining executive pay as of 2023, up from zero in 2018, an analysis of filings by consulting firm EY found.
Cybersecurity is generally just one factor among “a host of other non-financial company or individual performance considerations” firms take into account when determining executive pay, Patrick Niemann, a leader of the EY Americas audit committee forum, who advises board members on their oversight and governance roles, told HR Brew.
Incentivizing executives to address key risks in their companies with compensation can be complex, Niemann noted. A company may set a goal of zero cyber incidents, for example, and award an executive for achieving this before realizing they’ve actually been targeted. (IBM estimates it takes more than 200 days for firms to detect and contain a breach, on average.)
“There clearly is no [one]-size-fits-all, there are no bright lines. But I do think in the coming years, we will see more of this…more quantifiable metrics that will help drive the goals for executive compensation and accountability,” he added.
While executive pay pertains to corporate boards and management teams, Niemann said that companies are thinking about setting a tone for their entire workforces about cybersecurity risks, which can be particularly pertinent for those working in departments like IT and security.
“Holding individuals accountable, and employees accountable is key,” Niemann said, though he noted tying these cybersecurity goals to compensation directly is still “very complex,” adding, “I would say companies are still figuring it out.”