Microsoft has told its staff they must show how they have prioritized security during performance reviews or face missing out on promotions and salary increases.
According to a memo from Kathleen Hogan, Chief People Officer at Microsoft, every staff member will now have security as a “Core Priority.”
Channeling her inner Uncle Ben, Hogan began: “At Microsoft, we deliver mission-critical infrastructure that the world depends on to achieve more. With that trust in us comes a great responsibility: to protect our customers, our company, and our world from cyber threats.”
CEO Satya Nadella previously kicked off the fiscal year 2025 by reiterating that security would be Microsoft's top priority.
The memo has shown Microsoft employees how this will impact their performance reviews.
How will Microsoft make security a part of performance reviews?
The ‘Security Core Priority’ has been codified into documentation and made available to Microsoft’s staff, working with local HR teams across the globe to ensure employees have access.
The documentation provides requirements for employees to follow as the company aims to embed a security-first culture, including guidance on proactively seeking out security issues and speaking up when they are identified.
Like other core priorities at Microsoft, including diversity and inclusion, security is now embedded within ‘Connect’ performance reviews between employees and their managers.
“All employees will set their Security Core Priority as part their first FY25 Connect, with the intent that during regular Connect conversations, you and your manager will discuss your Security Core Priority progress and impact,” the memo stated.
Hogan linked to an FAQ for employees in the memo which confirms that neglecting their security requirements could lead to staff missing out on promotions, pay raises, and performance-based bonuses.
“Delivering impact for the Security Core Priority will be a key input for managers in determining impact and recommending rewards,” the FAQ says.
Microsoft tells staff to “go beyond compliance”
All employees at Microsoft, not just those in technical roles, have been mandated to adopt a security-first approach, including customer-facing, partner-facing, and operational positions.
Some elements of the Security Core Priority are required for all workers, though a section is also included for employees to update their progress on unique role, team, or organization-specific security projects.
Hogan and Microsoft hope that asking employees to regularly demonstrate how they have delivered security changes will lead to greater accountability across the company; and help continue its work to create better protection for its networks and engineering systems.
“It goes beyond compliance, as we are asking employees to prioritize security in all the work that they do and hold themselves accountable by capturing their impact for it whenever they complete a Connect,” the FAQ states.
Although the company enjoyed a strong financial performance in the last financial year –employees were recently awarded a one-off cash award worth 10% to 25% of their annual bonus – Microsoft’s leadership has responded to long-standing industry criticism over its security practices.
In May, it announced executive compensation would be based in part on progress on security measures and restructuring teams to overhaul security practices including introducing deputy chief information security officers (CISOs) into product groups.
“We are here because our customers trust us, and we must continue to earn their trust every day,” Hogan concluded, thanking employees in advance for their commitment to the new measures.