Microsoft links executive compensation to security

In response to a string of security lapses and breaches, Microsoft has announced a significant overhaul of its security measures, with executive pay now linked to security performance. Over the past few years, Microsoft has faced numerous challenges, including misconfigured endpoints, compromised security certificates, and weak passwords, all leading to the exposure of sensitive data. These incidents drew criticism from various quarters, including security researchers, lawmakers, and regulatory bodies.

Among the notable breaches was an attack by the China-based hacking group Storm-0558, which infiltrated Microsoft’s Azure service for over a month in mid-2023, accessing data from 25 Azure customers, including US federal agencies. Another breach involved the Russian state-sponsored group Midnight Blizzard, which gained access to Microsoft’s systems for up to two months.

Responding to these incidents, Microsoft launched the Secure Future Initiative, pledging to prioritise security above all else. This initiative includes changes in security practices, such as enforcing multifactor authentication and least-privilege access across applications, enhancing network monitoring, and retaining security logs for a minimum of two years.

Moreover, Microsoft will now tie a portion of its senior leadership team’s pay to meeting security targets. CEO Satya Nadella underscored the company’s commitment to security, urging the prioritisation of security over new feature releases or legacy system support. These measures aim to address criticisms of Microsoft’s security culture and response to breaches, as highlighted in a report from the US Cyber Safety Review Board.