“可预防”的黑客攻击将高管薪酬与网络威胁联系在一起，微软受到政府和科技竞争对手的攻击

在这篇文章CRWD MSFT关注你最喜欢的股票REATE FREE ACCOUNT 彭博社|彭博社|Getty Images 微软最近因去年夏天未能阻止中国对其系统的黑客攻击而受到美国政府和竞争对手的抨击。作为回应，这家科技巨头正在做出一个改变：将高管薪酬与网络安全更紧密地联系起来。今年4月，一个政府审查委员会称，去年夏天由中国引发的微软黑客攻击是“可以预防的”。美国国土安全部网络安全审查委员会指出，微软的“一连串错误”和企业文化“将企业安全投资和严格的风险管理放在首位”。竞争对手利用了这一网络漏洞，谷歌本周发布了一篇博客文章，强调了政府的调查结果，并指出，“CSRB的报告还强调了包括谷歌在内的许多供应商已经通过工程方法做了正确的事情，以防止报告中所示的策略。”CrowdStrike在其网站上醒目地展示了政府的结论。来自中国和俄罗斯的民族国家攻击正在增加，目标是整个经济体的企业，以及美国政府和社会基础设施。微软一直是一个很大的目标，包括俄罗斯和中国的黑客攻击。美国政府要求该公司改进其网络安全协议的压力越来越大，其首席公司律师布拉德·史密斯被传唤在国会山作证。微软处于损害控制模式。在1月份俄罗斯黑客入侵高管电子邮件账户后，该公司根据新的联邦网络安全披露规则披露了这一事件，尽管从技术上讲，这不是法律要求其分享的“重大”黑客攻击，这引发了其他公司对新披露的界限的讨论。微软将高管薪酬与成功的网络安全绩效联系起来的决定是另一个引发其他公司讨论的决定。 Fmr表示，现在观看视频3:2403:24中国的服务黑客攻击旨在制造“恐慌和混乱”。CISA总监Chris Krebs最后一次通话 Microsoft launched its Secure Future Initiative in November, and earlier this month, the company outlined in a blog post from Charlie Bell, executive vice president of Microsoft Security, that as part of its SFI goals it will "instill accountability by basing part of the compensation of the company's Senior Leadership Team on our progress in meeting our security plans and milestones." A Microsoft spokesperson declined to provide specifics on the compensation, but said as a company which plays a central role in the world's digital ecosystem, it has a "critical responsibility" to make cybersecurity a top priority. It is part of the company's "important governance changes [made] to further support a security-first culture," the spokesperson said. Companies often provide more details, though often only limited details, on executive compensation performance targets in annual meeting proxies, which in Microsoft's case was last held in December 2023. Cybersecurity as a core corporate risk and bonus metric It has become more common for corporations to tie a percentage of annual executive bonus payouts to various goals that go beyond meeting sales and profit targets. In recent years, many Fortune 500 companies, including Apple, have added bonus pay tied to ESG metrics. Risk management and safety goals have long been a part of executive compensation, dating back to an era before the rise of ESG — for example, mining and energy companies, as well as manufacturers and industrials, tying bonuses to environmental and worker safety. The conversations about cybersecurity-linked executive pay have started taking place at other companies since Microsoft made its move, according to Aalap Shah, managing director at executive compensation consultant Pearl Meyer. It's not prevalent as a compensation practice today, he said, but he added, "post-Microsoft's announcement, I've gotten phone calls asking, 'Should we do it? Would it work?' ... These conversations are very similar to the ones we were having a few years ago with ESG metrics and a significant percentage of companies adopted them." Shah said there is a case to be made that cybersecurity is a core issue that can be equated to mining or industrial safety. But there's a big difference between a business in cybersecurity and, for example, a retailer, in making this case. And even in industries beyond technology and cybersecurity where keeping data secure is a core issue, such as financial services and health care — which have been targets of high-profile hacks — it's not a clear case yet to tie executive compensation of the most senior people, such as a chief financial officer or general counsel, to cybersecurity, versus the chief information security officer or chief technology officer, specifically. Tying pay to hacks is a 'good place to start' Some firms will make the case that cybersecurity is already ingrained in their culture and such a move would be redundant, but with the escalation in hacking threats and increased importance of cybersecurity spending to the bottom line of companies like Microsoft, this new executive pay metric may be overdue. Making executive compensation contingent, to some degree, on meeting cybersecurity aims is a good place to start instilling a security culture at the top of the corporate hierarchy that is fundamental to success, according to experts. "The most important message being sent internally and externally is it's very important to their culture and more and more companies will follow suit, regardless of whether the gain is significant," Shah said. "What they want to do is make sure it is becoming ingrained culturally, and the path to do that is by linking it to compensation." "Cybersecurity has to be in the culture of the organization," said Stuart Madnick, professor of information technology at MIT. But prioritizing security can be difficult within a corporation, Madnick said, because it often means putting money into places that aren't clearly reflected on the bottom line. "Corporate culture prioritizes other things over security and risk management," Madnick said. "How do you know how secure you are? Maybe no one is targeting you at the time. But if you increase sales by 20%, that's money in the bank." Madnick's research shows that gaps in corporate culture are often culprits in high-profile hacks, not just the Microsoft example. Prevention, he says, is as much about foresight as hindsight. In a recent article, he cited MIT studies on Equifax and Capital One security breaches of recent years as other prominent examples. "While some risks are true surprises unlikely to be recognized in advance, many are more like the burglar alarm known to be defective," he said. Equifax and Capital One did not respond to requests for comment. Madnick described the corporate mentality as most often "systematic, semi-conscious decision making." That means management decisions are made without analyzing the cyber risks that are being introduced by the decision. Tying executive compensation to security aims won't necessarily mean that approach evaporates from a corporate culture, but he said it has symbolic resonance, and from that symbolic register, the practical may indeed follow. 'An annoyance and a profit center' For Microsoft, the stakes are higher than for most organizations. Its platforms and systems are so omnipresent — in business and government — that it's essentially impossible to live without it. "There's no alternative to Microsoft, from a productivity standpoint. You have to do insane things to try to work without it," said Ryan Kalember, executive vice president of cybersecurity strategy at cybersecurity vendor Proofpoint. Adding to the complexity of Microsoft's unavoidability, he said, is the layered nature of its platforms, in which succeeding iterations are often buttressed by legacy applications stretching back to the 90s, before security threats remotely resembling what now exists. The U.S. government has called on the largest, and oldest, tech companies to update systems that both businesses and consumers rely on. Last year, Cybersecurity and Infrastructure Security Agency director Jen Easterly said in a CNBC interview that cybersecurity is consumer safety, and compared it to automotive regulations. "Technology companies who for decades have been creating products and software that are fundamentally insecure need to start creating products that are secure by design and secure by default with safety features baked in," she said. Legacy platforms are far easier to plug into and build on rather than deploying a new system entirely, but "it's a security nightmare," Kalember said. "One MS365 for everybody from the State Department to Joe's Crab Shack is a fine business model, it just doesn't lend itself well to traditional security measures." The architectural principles built into some of these legacy systems were designed "when ransomware was really a thing that simply didn't exist – except on floppy disks," he said. This has led to the company accruing massive amounts of what is called "technical debt" — decades of it — that can be abused by nation-stated and allow foreign intelligence agencies "to steal anything they want," he added. Microsoft is caught between two competing impulses, with security "a combination of an annoyance and a profit center," Kalember said. It's a profit center because Microsoft is the world's largest cybersecurity vendor, reaching billion in annual revenue last year. That makes the compensation move "a good gesture," he said, but he added, "without specifics behind it, it's very difficult to assess." No details on how Microsoft pay will be influenced The lack of details on the compensation formula makes it impossible to properly evaluate the incentive. Many companies that adopted ESG metrics did so only in the bonus portion of executive pay, not the long-term incentive plan, which is much more significant. "That's putting your money where your mouth is," Shah said. A bonus may comprise, on average, 20% of executive pay, and within the bonus pool specifically, non-core financial metrics such as ESG only contribute 20% of a potential total bonus payout. "When you have 20% of overall [bonus] compensation and divvy it up into a few different metrics, how much are you really tying something like cyber to it?" Shah said. Long-term incentive plans tied to equity grants, especially in tech, are where the real money is made, and that's where these types of non-core financial metrics are low in prevalence. That would be the ideal place within a compensation plan to set pay against long-term cybersecurity and corporate goals, but it is difficult for firms to conceive of two-to-three year goals related to cybersecurity, consumer privacy and data breaches that can be measured like sales and profit. "It will be a challenge," Shah said. "Is it the number of incidents? The caution I have is the same as with ESG: you want to make sure not only the relevance is there, but you also want to make sure there are quantifiable goals. In a rush to adopt, if it's subjective, then it is less meaningful for shareholders." Boards of directors already have the discretion to hold executives accountable each year and decide to do downward adjustments on bonuses, based on performance, including data breaches. To date, this type of bonus incentive/punishment has been mostly limited to chief information security officers, according to Mike Doonan, managing director at SPMB, an executive search firm where he specializes in technology. In his view, it's an imperfect comparison to look at the history of bonus pay tied to metrics such as worker safety, since many hacks occur due to third-party vulnerabilities, which are often beyond the company's direct control. But Doonan said he could see this type of executive incentive being adopted more broadly, "because it's good PR to say security is a top priority across the entire executive suite, and it might result in improvements." But he thinks there is an even better way to shore up corporate defense: "saving the bonus pool and investing those dollars into security programs."