- The U.S. government and rival technology companies, including Google and CrowdStrike, recently criticized Microsoft for failing to prevent China from hacking their systems.
- One of the changes Microsoft is currently making is tying executive compensation to the success of its cybersecurity strategy.
- While new pay approaches for top business leaders are not common, compensation experts say Microsoft's move has sparked discussions at other companies.
Microsoft has recently come under fire from both the U.S. government and rival companies for failing to prevent China from hacking its systems last summer. One change tech giants are making in response is to tie executive compensation more closely to cybersecurity.
A government review committee said in April that China's hacking of Microsoft last summer was “preventable.” The U.S. Department of Homeland Security's Cyber Security Review Board cited Microsoft's “chain of errors” and a corporate culture that “deprioritizes corporate security investments and rigorous risk management.”
Competitors are capitalizing on cyber blunders, and Google published a blog post this week highlighting the government's findings, saying, “CSRB's report shows that many vendors, including Google, are using an engineering approach that protects them from tactics. “It also emphasizes that we are already doing the right thing.” shown in the report. ”
CrowdStrike will prominently display the government's conclusions on its site.
Attacks on nation-states by China and Russia are on the rise, targeting not only the U.S. government and social infrastructure, but also businesses across the economy. Microsoft is a huge target for hacking by Russia and China. The company's top lawyer, Brad Smith, has been called to testify on Capitol Hill as the company faces increasing pressure from the U.S. government to improve its cybersecurity protocols.
Microsoft is in damage control mode. After the January hack of an executive email account attributed to Russian hackers, the company issued a new federal Disclosed the incident in accordance with the Cybersecurity Disclosure Regulations. Other companies are also debating where to draw the line when it comes to new disclosures. Microsoft's decision to tie executive compensation to successful cybersecurity performance has also sparked debate at other companies.
Microsoft launched its Secure Future Initiative in November, and earlier this month, in a blog post from Charlie Bell, Microsoft executive vice president of security, the company announced that as part of its SFI goals, it would “account a portion of compensation based on We will ensure thorough accountability,'' he said. We received input from our senior leadership team on our security plan and progress in achieving milestones. ”
A Microsoft spokesperson declined to provide details on compensation, but said that as a company with a central role in the world's digital ecosystem, it has a “grave responsibility” to make cybersecurity a top priority. . This is part of the company's “significant governance changes.” [made] “This is to further support our security-first culture,” the spokesperson said.
Companies often provide more detailed information about executive compensation performance targets in their annual general meeting proxy statements, but this information is limited. In the case of Microsoft, the last general meeting was held in December 2023.
Cybersecurity is a core risk and bonus indicator for companies
It is becoming more common for companies to tie the proportion of annual executive bonuses paid to a variety of goals beyond the achievement of sales or profit targets. In recent years, many Fortune 500 companies, including Apple, have added bonuses tied to ESG metrics. Risk management and safety objectives have long been part of executive compensation, dating back to the days before the rise of ESG. For example, mining and energy companies, as well as manufacturing and industrial companies, tied bonuses to the environment and worker safety.
Since Microsoft made the move, discussions about executive pay tied to cybersecurity have begun to happen at other companies, according to Arup Shah, managing director at executive compensation consultant Pearl Mayer. He adds that while it's not a widespread compensation practice today, “after Microsoft's announcement, we got calls asking, 'Should we do it? Will it work?' … These conversations are very similar to the conversations we were having around ESG metrics a few years ago, and a significant percentage of companies have adopted ESG metrics.”
Mr Shah said there was an argument that cybersecurity was a core issue that could be considered on par with mine and industrial safety. However, there are significant differences between cybersecurity companies and, say, retailers when making this claim. And even in industries outside of technology and cybersecurity, where keeping data safe is a core issue, such as financial services and healthcare, which have been the targets of high-profile hacks, tying top executive pay is a challenge. It's not a clear-cut case yet. Specifically, cybersecurity personnel such as the chief financial officer and general counsel, as well as the chief information security officer and chief technology officer, are responsible.
Linking hacking and rewards is a 'good starting point'
Some companies will argue that cybersecurity is already ingrained in their culture and such a move is unnecessary, but the growing threat of hacking and the threat to the bottom line of companies like Microsoft This new executive compensation metric will be delayed due to the growing importance of cybersecurity spending.
Experts say making executive compensation contingent in part on achieving cybersecurity goals is a great starting point for instilling the culture of security that is fundamental to success at the top of the corporate hierarchy.
“The most important message being sent internally and externally is that it's so important to company culture that more and more companies will follow suit, whether it's profitable or not,” Shah said. Stated. “What they want to do is make sure it's ingrained culturally, and the way to do that is to tie it to reparations.”
“Cybersecurity has to be built into the culture of an organization,” said Stuart Madnick, a professor of information technology at the Massachusetts Institute of Technology (MIT). But making security a priority within a company can be difficult, Madnick said. That's because it often means spending money where it's not clearly reflected in the bottom line. “The culture is prioritizing other things over security and risk management,” Madnick said. “How do you know how safe you are? Maybe no one is targeting you at that point. But if your sales increase by 20%, that's money in the bank. ”
Madnick's research shows that gaps in corporate culture are often the cause of high-profile hacks, including Microsoft's. Foresight is as important as hindsight when it comes to prevention, he says. In a recent article, he cited his MIT investigation into the recent Equifax and Capital One security breaches as other prominent examples. “Some risks are real surprises that are unlikely to be recognized in advance, but many are similar to burglar alarm systems that are known to be defective,” he said.
Equifax and Capital One did not respond to requests for comment.
Madnick described the corporate mentality as “systematic, semi-conscious decision-making.” This means that business decisions are made without analyzing the cyber risks posed by those decisions. Tying executive compensation to security objectives does not necessarily mean that the approach disappears from corporate culture, but it has symbolic resonance, and its symbolic record does not necessarily mean that the practical He said it may follow.
“The center of annoyance and profit”
For Microsoft, the risk is higher than for most organizations. Its platforms and systems are ubiquitous in businesses and governments, and it's basically impossible to live without them. “From a productivity standpoint, there is no alternative to Microsoft,” said Ryan Kallever, executive vice president of cybersecurity strategy at cybersecurity vendor Proofpoint. We have to do something.”
Adding to Microsoft's inevitable complexity, he said, is the multi-layered nature of its platform, with subsequent iterations often bolstered by legacy applications dating back to the '90s, before security threats similar to those that exist today emerged.
The U.S. government has asked the largest and oldest technology companies to update the systems that both businesses and consumers rely on. Last year, Jen Easterly, head of the Cybersecurity and Infrastructure Security Agency, said in an interview with CNBC that cybersecurity is about consumer safety, likening it to auto regulation. “Technology companies that have been making fundamentally insecure products and software for decades need to start making products that are safe by design and secure by default, with built-in safety features,” Easterly said. he said.
While it's much easier to connect and build on legacy platforms than it is to completely deploy a new system, “it's a security nightmare,” Kallever says. “Providing one MS365 to everyone from the State Department to Joe's Crab Shack is a great business model, but it doesn't lend itself to traditional security measures.”
Architectural principles built into some of these legacy systems “were designed in a time when ransomware really didn't exist, outside of floppy disks,” he said. This has allowed the company to accumulate huge amounts of what he calls “technical debt” over the decades that could be exploited by nation states to allow foreign intelligence services to “steal whatever they want,” he added.
Microsoft is caught between two conflicting impulses: that security is “a combination of a nuisance and a profit center,” Kallever said. Microsoft is the world's largest cybersecurity vendor, with annual revenue of $20 billion last year, making it a profit center. So the compensation move was a “good gesture”, he said, but added: “Without concrete details behind it, it's very difficult to assess.”
No details available on how Microsoft Pay will be affected
The lack of detail in compensation formulas prevents incentives from being properly evaluated. Many companies that adopted ESG metrics did so only on the bonus portion of executive compensation, rather than on more important long-term incentive plans. “It's putting your money where your mouth is,” Shah said.
Bonuses can make up 20% of executive compensation on average, and non-core financial metrics such as ESG contribute only 20% of the total potential bonus payout, especially within bonus pools . “When you have 20% of the total, [bonus] “We calculate rewards and we split them into several different metrics, but how much do we actually tie things like cyber together?” Shah said.
Particularly in the high-tech sector, long-term incentive plans tied to equity grants are where the real money is made, and that's where the prevalence of these types of non-core financial metrics is low. This is an ideal position within a compensation plan that sets salaries in line with long-term cybersecurity and company goals, but with 2-3 year goals related to cybersecurity, consumer privacy, and data breaches. It is difficult for companies to think about this. Measured like sales and profits. “It's going to be a challenge,” Shah said. “Is it the number of incidents? What I'm wary of is the same as with ESG. You have to make sure there's relevance, but also make sure there's a quantifiable goal. If you're rushing to hire, it's subjective and doesn't make much sense to shareholders.”
Boards already have the discretion to hold executives accountable each year and determine downward adjustments to bonuses based on performance, including data breaches. So far, these types of rewards and penalties have been largely limited to chief information security officers, said Mike Doonan, managing director at SPMB, an executive search firm specializing in technology. In his view, many hacks occur due to third-party vulnerabilities and are often beyond a company's direct control, so it's important to examine the history of bonus payments tied to metrics such as employee safety. It is said that what you see is an imperfect comparison. But Doonan said this kind of executive incentive could be adopted more broadly, saying, “It's good PR to say that security is a top priority for the entire executive team, and it's important to make improvements.” This is because it may lead to.” But he thinks there's an even better way to strengthen corporate defense. The idea is to save up a bonus pool and invest that money in a security program.
