Microsoft ties pay to top bosses to meet cybersecurity goals

(Bloomberg) — Microsoft Corp. announced new anti-hacking initiatives, including basing a portion of senior leaders’ compensation on meeting cybersecurity milestones, following harsh criticism of the company for failing to contain several serious attacks. developing new features and adding cybersecurity heads to their product groups. CEO Satya Nadella was expected to send a company-wide email on Friday outlining the new measures and reinforcing the notion that security is “job #1.” Microsoft in November unveiled the Secure Future Initiative, its most significant security plan since co-founder Bill Gates halted Windows development in 2002 and ordered engineers to prioritize product security over new features. But a scathing report from a government cybersecurity panel last month described Microsoft’s security culture as inadequate and some rivals, government officials and customers have questioned whether the recent review went far enough. “We must and will do more,” wrote Microsoft security chief Charlie Bell. in a blog post on Friday. “We are making security our top priority at Microsoft, above all else – above all other resources.” As part of this, the company is expanding the scope of the Secure Future Initiative, he said, integrating recommendations from the government panel’s report as well as lessons gleaned from a recent breach linked to Russian state-sponsored hackers. That said, it will be guided by three principles: security comes first in the design of any product or service; security protections are enabled and applied by default, requiring no extra effort and are not optional; and security controls and monitoring will be continually improved to address current and future threats. “Culture can only be reinforced through our daily behaviors,” Bell said. The deputy chief information security officers will report to Igor Tsyganskiy, who became global chief information security officer in December, a month after Microsoft announced its security review.

Bloomberg’s Most Read

Ann Johnson, a Microsoft security executive since 2015, has been named deputy CISO for customer service and regulated industries and will also report to Tsyganskiy. Johnson’s role will focus on “customer engagement and communication about Microsoft’s own security,” the Redmond, Washington-based company said in an email.

The story continues

Read more: Hacker-plagued Microsoft faces problems years in the making

Earlier this year, a Russian state-sponsored group was accused of searching the email accounts of top Microsoft executives – prompting the company to redeploy thousands of engineers to help mitigate the intrusion and speed up security updates. In May 2023, a Chinese government-linked hacking gang was accused of stealing one of Microsoft’s access tools and using it to break into the email accounts of US Secretary of Commerce Gina Raimondo and US Ambassador in China, Nicholas Burns, and hundreds of others.

On Friday, a German official said Russian-backed hackers exploited a previously unknown flaw in Microsoft Outlook to breach government departments, companies and officials from Chancellor Olaf Scholz’s Social Democratic Party.

Last month, the US Cybersecurity Review Board issued a scathing report documenting the company’s inability to stop the China-linked hack and calling on Microsoft to institute urgent reforms. US Senator Ron Wyden introduced a bill on April 8 that would require the government to establish mandatory cybersecurity standards for collaboration software, citing Microsoft’s “chaotic cybersecurity.”

The latest set of changes is intended to address the question of how to give each product group a focus on security as they move to add new features and eliminate competitors in areas such as artificial intelligence. Nadella said last week in a conference call with investors that the company is now “putting safety above all else.”

(Updates with additional information).

Bloomberg Businessweek Most Read

©2024 Bloomberg LP