Microsoft is under intense scrutiny from the US government and rival companies for failing to prevent a Chinese hack last summer. In response, the tech giant is taking significant steps, including linking executive compensation more closely to cybersecurity performance.
In April, the U.S. Department of Homeland Security’s Cyber Safety Review Board (CSRB) labeled the hack as “preventable.” The CSRB’s report highlighted a series of errors and criticized Microsoft’s corporate culture for deprioritizing enterprise security and risk management.
In a move towards damage control, Microsoft revealed a hack of executive email accounts by Russian hackers in January, complying with new federal cybersecurity disclosure rules even though it wasn’t legally required to disclose the incident. This transparency has sparked discussions at other firms about where to draw the line on such disclosures.
One of Microsoft’s most notable responses is its decision to tie executive compensation to cybersecurity performance. In a blog post, Charlie Bell, Executive Vice President of Microsoft Security, announced that part of the compensation for the company’s Senior Leadership Team would be based on progress in meeting security goals and milestones.
While details on the new compensation structure are scarce, a Microsoft spokesperson emphasized the company’s critical responsibility to prioritize cybersecurity as part of its broader governance changes.
Tying executive pay to cybersecurity performance is becoming a trend among corporations. Experts suggest that making executive compensation contingent on cybersecurity goals is a good starting point to instill a security-first culture at the corporate level.
“The most important message being sent internally and externally is it’s very important to their culture and more and more companies will follow suit, regardless of whether the gain is significant,” said Aalap Shah, managing director of Pearl Meyer, an executive compensation consultant firm.
For Microsoft, the stakes are particularly high. Its platforms are integral to both business and government operations, making security breaches especially concerning. The company’s decision to link executive pay to cybersecurity sets a precedent that other firms may soon follow.