A Microsoft facing backlash from government and industry rivals following ‘avoidable’ breach connects executive salaries to cybersecurity risks

Microsoft has recently been criticized by both the U.S. government and competing companies for its inability to prevent a Chinese breach of its systems last summer. One response from the tech behemoth: aligning executive remuneration more tightly with cybersecurity.

In April, a government review board labeled a hack on Microsoft last summer that was linked to China as “avoidable.” The U.S. Department of Homeland Security’s Cyber Safety Review Board attributed “a chain of mistakes” to a corporate mindset at Microsoft that “underemphasized enterprise security investments and robust risk management.”

Rivals have capitalized on the cybersecurity breach, with Google releasing a blog post this week highlighting the government’s discoveries and stating, “The CSRB report also emphasizes how many vendors, including Google, are already implementing strategies that defend against techniques outlined in the report.” 

CrowdStrike publicly showcases the government’s findings on its website.

Nation-state cyber assaults from China and Russia are on the rise, targeting companies across various sectors, in addition to the U.S. government and public infrastructure. Microsoft has been a significant target, enduring breaches from Russia and China. There is mounting pressure from the U.S. government for the corporation to enhance its cybersecurity measures, with Brad Smith, its top corporate lawyer, summoned to testify in Capitol Hill.

Microsoft is now in crisis management mode. Following a breach of executive email accounts in January attributed to Russian hackers, the firm revealed the incident to comply with new federal cybersecurity disclosure regulations, even though it was not technically a “significant” breach that required public disclosure by law, sparking debates at other organizations about the new disclosure threshold. Microsoft’s move to tie executive compensation to effective cybersecurity performance is generating discussions across other corporations.

Microsoft introduced its Secure Future Initiative in November. Earlier this month, the company outlined by Charlie Bell, Microsoft Security’s executive vice president, revealed that as part of its SFI objectives, it will “establish accountability by incorporating elements of the company’s Senior Leadership Team’s compensation linked to our advancements in following our security blueprints and milestones.”

A Microsoft representative declined to disclose specifics regarding the compensation but emphasized the company’s integral role in the global digital realm, placing “crucial obligations” on prioritizing cybersecurity. The spokesperson noted it forms part of the firm’s “significant governance adjustments [implemented] to further boost a security-centric culture.” 

Corporations typically provide, albeit limited, details on executive compensation performance targets in their yearly meeting proxies, with Microsoft’s last held in December 2023.

Cybersecurity as a fundamental corporate peril and incentive metric

Corporations increasingly link a proportion of annual executive bonus distributions to objectives beyond revenue and profit achievements. In recent times, numerous Fortune 500 companies, such as Apple, have integrated bonus rewards tied to ESG metrics. Risk management and safety goals have long been components of executive compensation, originating before the ESG era—such as mining and energy corporations, as well as manufacturers and industrials, linking bonuses to environmental and employee safety.

Dialogues around cybersecurity-related executive pay have begun at other firms since Microsoft’s announcement, according to Aalap Shah, managing director at executive compensation consultancy Pearl Meyer. While not yet widespread as a remuneration practice, he described receiving inquiries post-Microsoft’s move, questioning, ‘Should we adopt this? Would it be effective?’ These discussions bear resemblance to the ones held years ago concerning ESG metrics, with a significant percentage of firms embracing them.

Shah argued that cybersecurity is a core issue comparable to mining or industrial safety. However, he highlighted the disparity between a cybersecurity-focused business and, for instance, a retailer. Even in industries beyond technology and cybersecurity where data security is paramount, like finance and healthcare—frequently targeted in major breaches—it remains uncertain whether it’s justifiable to align executive compensations of top-tier staff, such as CFOs or GCs, with cybersecurity regarding CISOs or CTOs specifically.

Tethering compensation to breaches is an ‘opportune starting point’

Some organizations may contend that cybersecurity is already ingrained in their ethos, deeming such a measure redundant. Nonetheless, in light of the surge in cyber threat instances and the escalating role of cybersecurity spending in companies’ profit margins like Microsoft’s, this novel executive pay metric might be long overdue.

Linking executive compensation, to a certain extent, to attaining cybersecurity objectives is a valuable launching point in instilling a security-focused ethos at the apex of corporate hierarchies, as per experts.

“The primary message being communicated internally and externally is the fundamental importance to their culture, and a growing number of companies will follow suit, irrespective of whether the gains are substantial,” stated Shah. “Their aim is to ensure it permeates culturally, and the approach to do that is by dovetailing it with compensation.”

“Cybersecurity must resonate throughout the organization’s culture,” affirmed Stuart Madnick, an IT professor at MIT. Nevertheless, prioritizing security can pose challenges within a company expanse, Madnick observed since it often entails pouring resources into areas not overtly reflected on the balance sheet. “Corporate culture tends to prioritize other aspects over security, and
“Risk management is crucial,” Madnick expressed. “How can you determine your level of security? It’s possible that no one is targeting you at the moment. But if you boost sales by 20%, that translates to real money in your pocket.”

Madnick’s research indicates that deficiencies in corporate culture often play a role in major breaches, not limited to the Microsoft case. According to him, prevention requires as much strategic thinking as post-event analysis. In a recent piece he referenced, MIT studies on the Equifax and Capital One breaches as significant instances. “While some risks are genuine surprises that might not be detected in advance, many are akin to a faulty burglar alarm,” he remarked.

Equifax and Capital One chose not to comment when reached.

Madnick described the prevailing corporate mindset as primarily “methodical, semi-conscious decision-making.” This implies that management choices are made without properly evaluating the cybersecurity risks associated with those decisions. While linking executive compensation to security objectives may not guarantee the eradication of this approach from corporate culture, Madnick suggested that it holds symbolic weight, which could potentially lead to practical changes.

‘A source of frustration and revenue’

For Microsoft, the stakes are exceptionally high compared to most other entities. Its technologies and infrastructures are so widespread and integral — in both business and government sectors — that living without them is nearly inconceivable. “There’s practically no substitute for Microsoft when it comes to productivity. You’d have to go to extreme lengths to attempt to function without it,” stated Ryan Kalember, cybersecurity strategy executive vice president at Proofpoint.

Kalember elaborated on the intricate nature of Microsoft’s ubiquity, highlighting how its systems often rely on older applications dating back to the 90s, long before today’s cybersecurity threats became prevalent.

The U.S. government has urged major, established tech firms to modernize systems that both businesses and consumers depend on. Last year, during an interview with CNBC, Jen Easterly, the Director of the Cybersecurity and Infrastructure Security Agency, emphasized that cybersecurity is essential for consumer safety, drawing a parallel to automotive regulations. “Technology companies that have historically produced products and software with inherent insecurities must begin creating products that prioritize security by design and by default, including embedded safety features,” she stated. 

Although working with legacy platforms is more convenient and cost-effective than implementing entirely new systems, Kalember cautioned that it poses significant security risks. “Using one MS365 platform for entities ranging from the State Department to a casual restaurant is a sound business strategy, but it doesn’t align well with standard security practices.”

Kalember pointed out that some architectural principles present in these legacy systems were conceived “at a time when ransomware was almost nonexistent — except maybe on floppy disks.” Consequently, Microsoft has accumulated substantial “technical debt” over decades, which malicious actors can exploit, enabling foreign intelligence agencies to pilfer sensitive information. 

Microsoft grapples with the duality of security being both “a source of irritation and an avenue for profit,” Kalember remarked. Microsoft’s standing as the world’s leading cybersecurity vendor, achieving $20 billion in annual revenue last year, underscores this viewpoint. While Kalember considers the compensation adjustment a positive step, he highlights the necessity for clear specifics to evaluate its effectiveness.

Lack of clarity on how Microsoft compensation will be impacted

The absence of explicit details regarding the compensation structure makes it challenging to assess the incentive accurately. Several companies incorporating ESG metrics have done so solely in the short-term bonus segment of executive compensation, rather than the more impactful long-term incentive plan. Shah noted that aligning such metrics with executive pay reflects a firm commitment. 

Typically, bonuses constitute approximately 20% of executive remuneration, with non-financial metrics like ESG contributing only a fraction of the total. Shah questioned the impact of connecting aspects such as cybersecurity to this allocation. 

In the technology sector, long-term incentive plans linked to equity grants hold substantial value, making them an ideal avenue to incorporate non-financial metrics. Shah suggested the challenge lies in formulating measurable goals related to cybersecurity, consumer protection, and data breaches, akin to sales and revenue metrics. “It poses a challenge,” Shah noted, “The metrics must be relevant and quantifiable. Rushing into adoption without clear criteria could diminish shareholder value.”

Boards possess the authority to hold executives accountable annually and adjust bonuses based on performance, including incidents like data breaches. Mike Doonan, from SPMB, a technology-focused executive search firm, noted that historically, bonus structures linked to metrics like worker safety have primarily involved chief information security officers. However, Doonan implied that expanding this model to all executives could enhance security standings and public image. Nevertheless, he proposed a more effective strategy for bolstering corporate defenses: redirecting bonus funds towards security initiatives.