Microsoft has recently under criticism from both the US government and competitor firms for failing to prevent a Chinese hack of its networks last summer. In response, the internet behemoth is forging a more direct link between executive pay and cybersecurity.
In April, a federal assessment body deemed a Microsoft intrusion last summer attributed to China as “preventable.” The Cyber Safety Review Board of the United States Department of Homeland Security cited “a cascade of errors” and a corporate culture at Microsoft “that deprioritized enterprise security investments and rigorous risk management.”
Competitors have capitalized on the cyber lapse, with Google publishing a blog post this week highlighting the government findings and noting, “The CSRB report also highlights how many vendors, including Google, are already doing the right thing by engineering approaches that protect against tactics illustrated in the report.”
CrowdStrike extensively promotes the government’s conclusions on its website.
Nation-state attacks from China and Russia are on the rise, targeting firms across the economy, as well as the US government and social infrastructure. Microsoft has been a major target, including hackers from Russia and China. The US government is increasing pressure on the corporation to improve its cybersecurity protocols, with its senior corporate counsel, Brad Smith, scheduled to appear on Capitol Hill.
Microsoft is in damage management mode. Following a hack of executive email accounts in January attributed to Russian hackers, the company disclosed the incident in accordance with new federal cybersecurity disclosure rules, despite the fact that it was not a “material” hack that it was required by law to share, sparking debate among other firms about where to draw the line on the new disclosure. Microsoft’s plan to link executive compensation to effective cybersecurity performance has sparked concerns at other companies.
Microsoft launched its Secure Future Initiative in November, and earlier this month, in a blog post by Charlie Bell, executive vice president of Microsoft Security, the company stated that as part of its SFI goals, it will “instill accountability by basing part of the compensation of the company’s Senior Leadership Team on our progress in meeting our security plans and milestones.”
A Microsoft representative declined to comment on the compensation, but stated that as a key player in the global digital ecosystem, the business had a “critical responsibility” to prioritize cybersecurity. It is one of the company’s “important governance changes [made] to further support a security-first culture,” according to the spokeswoman.
Companies frequently offer more, albeit limited, information on CEO remuneration success targets in annual meeting proxies, which in Microsoft’s case were last held in December 2023.
Cybersecurity as a primary business risk and bonus metric
Corporations are increasingly tying a percentage of yearly CEO bonus distributions to goals other than fulfilling sales and profit targets. In recent years, numerous Fortune 500 businesses, including Apple, have implemented ESG-related bonuses. Risk management and safety objectives have long been part of CEO compensation, dating back to before the advent of ESG — for example, mining and energy businesses, as well as manufacturers and industrials, tied bonuses to environmental and worker safety.
Conversations on cybersecurity-linked CEO pay have begun at other companies since Microsoft’s move, according to Aalap Shah, managing director at executive compensation consultancy Pearl Meyer. It is not a common compensation practice today, he stated, but “post-Microsoft’s announcement, I’ve gotten phone calls asking, ‘Should we do it? Will it work? These discussions are very similar to those we had a few years ago about ESG indicators, and a significant percentage of corporations have adopted them.
Shah believes there is a case can be made that cybersecurity is a critical problem comparable to mining or industrial safety. However, when it comes to making this case, there is a significant distinction between a cybersecurity company and a merchant. Even in industries other than technology and cybersecurity where data security is a top priority, such as financial services and health care, which have been the targets of high-profile hacks, there isn’t a clear case for tying executive compensation for the most senior people, such as a chief financial officer or general counsel, to cybersecurity, as opposed to the chief information security officer or chief technology officer.
Paying hackers is a ‘fine place to start’.
Some companies will argue that cybersecurity is already ingrained in their culture, making such a move unnecessary; however, with the escalation of hacking threats and the increased importance of cybersecurity spending to the bottom line of companies such as Microsoft, this new executive pay metric may be overdue.
Making CEO compensation reliant, to some extent, on reaching cybersecurity goals is a good place to start building a security culture at the top of the business hierarchy, which is critical to success, according to experts.
“The most important message being sent internally and externally is it’s very important to their culture and more and more companies will follow suit, regardless of whether the gain is significant,” Shah stated. “What they want to do is make sure it is becoming ingrained culturally, and the path to do that is by linking it to compensation.”
“Cybersecurity has to be in the culture of the organization,” said Stuart Madnick, an information technology professor at MIT. However, prioritizing security within a firm can be tough, according to Madnick, because it typically requires investing money in areas that aren’t clearly reflected on the bottom line. “Corporate culture prioritizes other things over security and risk management,” Madnick stated. “How do you know you’re secure? Perhaps no one is targeting you at this time. But a 20% increase in sales equals money in the bank.
According to Madnick’s research, corporate culture gaps are frequently the source of high-profile hacks, not simply those involving Microsoft. According to him, prevention involves both foresight and retrospect. In a recent paper, he mentioned MIT research on recent Equifax and Capital One security breaches as notable instances. “While some risks are true surprises unlikely to be recognized in advance, many are more like the burglar alarm known to be defective,” he stated.
Equifax and Capital One did not return calls for comment.
Madnick described the corporate mentality as “systematic, semi-conscious decision-making.” This means that management decisions are made without considering the cyber dangers that the decision may entail. Tying CEO salary to security goals will not necessarily eliminate that approach from corporate culture, but he believes it has symbolic resonance, and the practical may come from that.
‘An nuisance and profit center.’
Microsoft has larger stakes than most other organizations. Its platforms and technologies are so widely used in industry and government that it is nearly hard to live without them. “There is no alternative to Microsoft in terms of productivity. “You have to do insane things to try to work without it,” said Ryan Kalember, Proofpoint’s senior vice president of cybersecurity strategy.
Adding to the intricacy of Microsoft’s unavoidability, he noted, is the tiered nature of its platforms, in which consecutive iterations are frequently supported by legacy apps dating back to the 1990s, before security concerns remotely approximating those exist now.
The United States government has urged the largest and oldest technology companies to upgrade systems on which both corporations and consumers rely. Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, stated in a CNBC interview last year that cybersecurity is similar to automobile standards in terms of consumer safety. “Technology companies who for decades have been creating products and software that are fundamentally insecure need to start creating products that are secure by design and secure by default with safety features baked in,” she stated.
Legacy platforms are more easier to plug into and build on than establishing a completely new system, but “it’s a security nightmare,” Kalember stated. “One MS365 for everybody from the State Department to Joe’s Crab Shack is a fine business model, it just doesn’t lend itself well to traditional security measures.”
Some of these outdated systems’ architectural concepts were developed “when ransomware was really a thing that simply didn’t exist – except on floppy disks,” he stated. This has resulted in the corporation accumulating vast quantities of “technical debt”—decades of it—that may be misused by nation-states and allow foreign intelligence agencies “to steal anything they want,” he added.
Microsoft is torn between two competing impulses, with security “a combination of an annoyance and a profit center,” according to Kalember. It’s a profit center since Microsoft is the world’s largest cybersecurity company, generating $20 billion in revenue last year. That makes the compensation action “a good gesture,” he says, but “without specifics, it’s very difficult to assess.”
There are no information about how Microsoft pay will be altered.
The absence of information about the compensation mechanism makes it impossible to fully analyze the incentive. Many firms that embraced ESG measures did so solely for the bonus element of executive pay, rather than the long-term incentive plan, which is far more important. “That’s putting your money where your mouth is,” Shah stated.
A bonus may account for 20% of executive pay on average, with non-core financial metrics such as ESG accounting for only 20% of a potential total bonus payout. “When you have 20% of overall [bonus] compensation and divvy it up into a few different metrics, how much are you really tying something like cyber to it?” Shah said.
Long-term incentive schemes related to stock awards, particularly in technology, are where the real money is produced, and thus non-core financial indicators are less common. That would be the ideal spot in a compensation plan to align pay with long-term cybersecurity and corporate goals, but it is difficult for businesses to devise two- to three-year targets for cybersecurity, customer privacy, and data breaches that can be quantified similarly to sales and profit. “It will be a challenge,” Shah explained. “What is the number of incidents? The same care applies to ESG: you want to ensure not only relevance, but also quantifiable goals. In a haste to embrace, if it is subjective, it is less significant to shareholders.”
Every year, boards of directors have the ability to hold CEOs accountable and make downward changes to incentives depending on performance, including data breaches. According to Mike Doonan, managing director of SPMB, an executive recruitment agency specializing in technology, this type of bonus incentive/punishment has hitherto been reserved to chief information security officers.
In his opinion, comparing the history of incentive pay to metrics such as worker safety is an imperfect comparison because many hacks occur as a result of third-party vulnerabilities, which are frequently beyond the company’s direct control. However, Doonan believes this form of executive incentive will be implemented more extensively, “because it’s good PR to say security is a top priority across the entire executive suite, and it might result in improvements.” However, he believes there is an even better method to strengthen company defense: “saving the bonus pool and investing those dollars into security programs.”
