The rise of technology comes with big benefits, but just as quickly as technology evolves, so do the threats posed by cyberattackers. Trying to work without the use of Microsoft technology in today’s world can feel nearly impossible, but the company’s failure to prevent a Chinese hack of its systems last summer has led to criticism from both the government and other tech rival companies. Between the cyberattack and current criticism, Microsoft is now making moves to link executive pay more closely with cybersecurity.
Cyberattacks from both China and Russia are increasing across the nation, often targeting U.S. corporations, as well as government and social infrastructure. A main target of these cyberattacks is Microsoft, and last summer’s successful hack has led to the U.S. government’s pressure on the tech company to improve its cybersecurity protocols.
The U.S. Department of Homeland Security’s Cyber Safety Review Board stated in April that they believed the hack on Microsoft was “preventable,” pointing to a “cascade of errors” and poor corporate culture at Microsoft “that deprioritized enterprise security investments and rigorous risk management.” But the U.S. government is not the only critical party in Microsoft’s situation, with many tech competitors putting in their two cents. Highlighting their differences to Microsoft, Google published in a recent blog post that “The CSRB report also highlights how many vendors, including Google, are already doing the right thing by engineering approaches that protect against tactics illustrated in the report.”
While the hack occurred last summer, Microsoft still finds itself in a state of damage control, and after a hack of executive email accounts from Russia in January, the company has decided to link executive compensation to cybersecurity performance more closely. The launch of its Secure Future Initiative (SFI) in November, and earlier this month, helps outline how Microsoft will “instill accountability by basing part of the compensation of the company’s Senior Leadership Team on our progress in meeting our security plans and milestones,” according to Charlie Bell, executive vice president of Microsoft Security.
Microsoft’s ultimate goal from this move is to establish cybersecurity as a top priority within the company, but tying executive compensation, like bonus payouts, is not entirely exclusive to the tech company. It has become a more common practice among companies to link executive compensation to company goals that exceed expectations. While risk management and security have always been a part of company goals, their linkage to executive pay is more recent. Managing director at executive compensation consultant Pearl Meyer, Aalap Shah, argues that this compensation practice may not be prevalent today, but that Microsoft’s recent move has sparked conversations with other companies who wonder if this new approach may work.
Unfortunately, there is no clear evidence of tying executive pay to cybersecurity yet; however, this approach could be a good place to start building a corporate culture that values cybersecurity as a top priority. Executives who have a portion of their compensation tied to cybersecurity measures and performance may start to instill among their staff the significance of company safety. Shah argues that “What [companies] want to do is make sure [cybersecurity] is becoming ingrained culturally, and the path to do that is by linking it to compensation.”
The complexity of Microsoft may make this new approach more challenging, and the company has yet to reveal the details of its compensation formula; however, by making security a top priority, Microsoft could find itself improving.