How much is cybersecurity worth to Microsoft?

Microsoft has announced that a third of the bonuses paid to each of its 14 highest-paid senior executives will depend on their success in improving the company’s cybersecurity.

The announcement follows a US Congress session that saw Microsoft President Brad Smith questioned harshly about the software giant’s plans to improve cybersecurity following a series of attacks against the email accounts of federal employees due to a cascade of errors and multiple vulnerabilities, calling into question the company’s suitability as a major government contractor.

In addition, Congress expressed concerns about Microsoft’s growing presence in China, as well as its technology transfer agreements with the United Arab Emirates. Media coverage of the session has put the company on the defensive, to the point of stating cybersecurity is now its top priority, even above AI.

The question is whether conditioning senior executives’ bonuses is the best way to change Microsoft’s culture. Does cybersecurity really depend on those fourteen highest-paid executives? Obviously, new priorities need be applied at all levels, and that is something those managers can do, but is it enough? As is well known, cybersecurity depends on the weakest link. Are these people the weakest links?