Summarize this content to 2000 words in 6 paragraphs
Microsoft is adding a third “core priority,” focused on security, to employee reviews. (GeekWire File Photo)
Microsoft will elevate security to the status of “core priority” for all employees as part of the process of focusing their work and reviewing performance, according to an internal email Monday morning.
This is the latest step by the company to implement what it calls a security-first mindset. It follows a series of high-profile breaches that have raised concerns among regulators and legislators, and resurfaced longstanding questions about the widespread reliance on Microsoft’s technology by major customers.
The change will be implemented for all employees when setting priorities and reviewing performance, known internally as “Connect,” according to the email Monday from Kathleen Hogan, Microsoft’s chief people officer.
“The Security Core Priority is not a check-the-box compliance exercise; it is a way for every employee and manager to commit to — and be accountable for — prioritizing security, and a way for us to codify your contributions and to recognize you for your impact,” Hogan wrote. “We all must act with a security-first mindset, speak up, and proactively look for opportunities to ensure security in everything we do.”
With the move, security joins two existing core priorities as part of the Connect process, focused on diversity and inclusion, and Microsoft’s expectations and principles for managers.
Priorities and performance reviews are factors in employee bonuses, but the company did not provide specifics on the degree to which the change could impact employee compensation.
The timing for the Connect process varies, generally occurring two to three times a year. Microsoft is calling on employees to implement the new core priority starting with their first “Connect” of the fiscal year, which started July 1.
Separately, Microsoft said last week that it will provide employees with a special one-time cash award amounting to an additional 10% to 25% of the value of their annual bonuses for the company’s recently completed fiscal year.
The security changes build on Microsoft’s Secure Future Initiative (SFI), introduced last fall. It’s Microsoft’s latest attempt to prioritize security, dating back the “Trustworthy Computing” initiative that Bill Gates instituted in 2002.
Microsoft said in May that it would base a portion of senior executive compensation on progress toward security priorities, place deputy chief information security officers (CISOs) in each product group, and bring together teams from its major platforms and product teams in “engineering waves” to overhaul security.
Microsoft CEO Satya Nadella. (GeekWire File Photo)
In an internal memo at the time, Microsoft CEO Satya Nadella called on employees to make security their top priority, even if that means making difficult choices in the interest of greater security.
“If you’re faced with the tradeoff between security and another priority, your answer is clear: Do security,” the Microsoft CEO told employees. “In some cases, this will mean prioritizing security above other things we do, such as releasing new features or providing ongoing support for legacy systems.”
A critical report by the Cyber Safety Review Board (CSRB) in April described Microsoft’s security culture as “inadequate.” The report called for security initiatives to be “overseen directly and closely” by Microsoft’s CEO and board, and said “all senior leaders should be held accountable for implementing all necessary changes with utmost urgency.”
The CSRB report focused on a high-profile incident in May and June 2023, in which a Chinese hacking group known as Storm-0558 is believed to have compromised the Microsoft Exchange Online mailboxes of more than 500 people and 22 organizations worldwide, including senior U.S. government officials.
Microsoft revealed in January that a Russian state-sponsored actor known as Nobelium or Midnight Blizzard accessed its internal systems and executive email accounts. Subsequently, the company said the same attackers were able to access some of its source code repositories and internal systems.
Testifying before the U.S. House Committee on Homeland Security in June, Microsoft President Brad Smith said the company took responsibility for the issues cited by the CSRB, and reiterated the commitment to prioritizing security.
Here’s the full text of Hogan’s memo to employees Monday morning.
Date: August 5, 2024
Subject: Introducing our Company-wide Security Core Priority
At Microsoft, we deliver mission-critical infrastructure that the world depends on to achieve more. With that trust in us comes a great responsibility: to protect our customers, our company, and our world from cyber threats. As Microsoft employees, we all have a role in that responsibility.
As Satya referenced in his May 3 email and again during his FY25 kick off on July 9, security is our number-one priority, and everyone at Microsoft will have security as a Core Priority. When faced with a tradeoff, the answer is clear and simple: security above all else. Our commitment to security is enduring. New and novel attacks will require us to continue to learn, innovate, and defend. Yet working together, we will make nonlinear improvements, stay alert, and meet the expectations of our customers. They are counting on us, and our future depends on their trust.
Our new Security Core Priority reinforces our commitment to security and holds us accountable for building secure products and services. It is now available in the Connect tool for most employees, and we are partnering with geo HR teams to expand access to all employees globally. The Security Core Priority is not a check-the-box compliance exercise; it is a way for every employee and manager to commit to — and be accountable for — prioritizing security, and a way for us to codify your contributions and to recognize you for your impact. We all must act with a security-first mindset, speak up, and proactively look for opportunities to ensure security in everything we do.
The core priority will have two parts:
Core and common elements that apply to all employees
An optional section for employees to further specify how they will activate the Security Core Priority based on their role, team, org, etc.
All employees will set their Security Core Priority as part their first FY25 Connect, with the intent that during regular Connect conversations, you and your manager will discuss your Security Core Priority progress and impact. This process will follow the same approach as our other company-wide core priorities for Diversity & Inclusion and Managers. …
As we kick off our 50th year as a company, I know we all feel honored and humbled that we are still here — as a relevant and consequential company — pursuing our mission together. When we empower every person and organization on the planet to achieve more, we take on society’s biggest challenges and empower the world. What a big, bold, and meaningful mission we have, and yet none of us can take this for granted. We are here because our customers trust us, and we must continue to earn their trust every day.
Thank you for your commitment to our Security Core Priority that will help protect Microsoft, our customers, and our partners.
Kathleen
The changes follow the end of Microsoft’s 2024 fiscal year on June 30. Microsoft reported fiscal fourth quarter earnings of $64.7 billion, up 15%, and profits of $22 billion, up 10%, surpassing Wall Street’s expectations, even as some analysts were disappointed by its cloud growth and the timeline for seeing a larger payoff from AI investments.
