Microsoft has reportedly told its employees that they will be judged on their security knowledge and skills following several recent high-profile incidents.
An internal company memo seen by Geekwire The message sent to all Microsoft employees outlined the new way of thinking, which will apparently link the company's current security goals to performance reviews.
Microsoft staff will now be evaluated on their alignment with security goals as well as diversity and inclusion goals. Performance reviews, internally called “Connect,” now include employee security, meaning bonuses and promotions could be affected if attention is not paid to security. Staff will now have to demonstrate impactful security changes they have implemented to determine compliance with internal goals.
A boost to security
“When faced with a dilemma, the answer is clear and simple: security above all else,” Kathleen Hogan, Microsoft's chief human resources officer, wrote in the memo. “Our commitment to security is enduring. New and novel attacks will require us to continue to learn, innovate and defend. But by working together, we will make non-linear improvements, stay vigilant and meet our customers' expectations.”
The news comes shortly after Microsoft CEO Satya Nadella told employees about a new vision that sees the company “putting security above everything else.”
This comes after a series of high-profile attacks that hit the company, including a recent data breach that allowed Russian hackers to compromise several US federal organizations.
Microsoft has been criticized by the Department of Homeland Security's Cybersecurity Review Board (CSRB) for making a series of “avoidable mistakes.”
The company also announced its “Secure Future Initiative” in November 2023, outlining its broader vision for preventing and mitigating cybersecurity threats that have plagued the industry in recent years. The strategy focused on software and engineering, specifically securing identity management systems and reducing response time to patch vulnerabilities.
As part of its Secure Future Initiative, Microsoft tied executive pay to security performance, meaning that bonuses and internal reward processes became a condition for meeting cybersecurity goals.