Microsoft was slammed for its lax cyber security practices after a series of breaches — now it plans to cut executive bonuses if they don't improve standards

Microsoft executives, including CEO Satya Nadella, president Brad Smith, and CFO Amy Hood, pictured at the company's annual shareholder meeting in 2017.
(Image credit: Getty Images)

Microsoft has announced a new tactic to ensure it gets buy-in from business leaders on transforming its security culture after several high-profile security blunders exposed a cavalier approach to its cyber posture.

Executive bonuses will now be tied to their departments’ security performance and reviewed by an independent cyber board before they are paid out each year, according to Brad Smith, vice chair and president of Microsoft.

Smith revealed the planned adjustment to the company’s executive pay structure via written testimony ahead of his hearing in front of the US house committee last week. 

The hearing saw the Microsoft president testify on a series of ‘cyber security shortfalls’ highlighted in a report into the company’s  “lax corporate culture” in light of the 2023 Summer Exchange Intrusion.

The attack saw a state-backed Chinese threat collective known as Storm-0558 access the mailboxes of 22 organizations and 500 individuals, some of whom were senior US government officials including Secretary of State for Commerce Gina Raimondo.

The Department of Homeland Security issued a report based on an independent review of Microsoft’s conduct during the incident by the Cyber Safety Review Board, which found the company’s security strategy was lacking. The review noted it was still unable to provide details on exactly how the breach occurred almost a year later.

This has led to the promise of significant culture changes geared towards security, one of which is the decision to tie executive bonuses to their security performance. 

According to Smith’s submission, one-third of the ‘individual performance’ portion of their bonuses in the new financial year will be tied to a review of their cyber security work by the board’s compensation committee, which will take into account the opinion of an unidentified independent third-party.

String of security failures force Microsoft to show it is making changes

The 2023 Summer Exchange Intrusion is not the only incident attracting all the wrong attention for Microsoft in recent years.

The report from the Cyber Safety Review Board also noted Microsoft suffered another attack in January 2024 that gave a nation-state affiliated threat group, Midnight Blizzard, access to corporate accounts in a password spraying attack.

The recent announcement and subsequent delay of its Recall feature, that uses AI to continually screenshot the device so users can search back through their activities after security concerns, is just another example of the company missing the mark when it comes to cyber security, some industry experts have claimed.

Microsoft was forced to roll back the capability and reassure users it would no longer be part of the official launch of its anticipated Copilot+ PC range, saying it would conduct further testing on the product before rolling it out.

RELATED WHITEPAPER

A whitepaper from Dell and Intel on the business value of Dell Powerflex, with image of data in a funnel shape

(Image credit: Dell | Intel)

Minimize downtime and boost productivity

Going back slightly further, a former Microsoft security architect has blown the whistle saying the firm chose to ignore early warnings about the flaw attackers exploited to deploy the SolarWinds attack that disrupted thousands of organizations in 2020.

The strongest accusations were made against a number of product leaders at the company, who the whistleblower accused of prioritizing minimizing business fallout over cyber resilience when they were made aware of a critical security vulnerability.

The tech giant will hope by hitting executives where it hurts if they fail to pull their weight in the company-wide push, will tighten some of the loose ends that have been hurting its security posture over the last few years.

Solomon Klappholz
Staff Writer

Solomon Klappholz is a Staff Writer at ITPro. He has experience writing about the technologies that facilitate industrial manufacturing which led to him developing a particular interest in IT regulation, industrial infrastructure applications, and machine learning.