The big picture: Microsoft has taken heat over security issues in its products for years. Despite CEO Satya Nadella making security a "top priority" in the wake of major cyberattacks and criticism from the feds back in May, it didn't stop the CrowdStrike fiasco from happening. More work was clearly needed, so the company is now doubling down by tying security directly to employee performance reviews and compensation.
In an internal memo obtained by The Verge, Microsoft's chief people officer Kathleen Hogan outlined the company's new "Security Core Priority" policy, which builds on the previous "Secure Future" initiative ushered in by Nadella. She re-emphasized the CEO's words in the memo, saying that when faced with a trade-off, employees have their marching orders: "security above all else."
However, the new policy adds some more teeth behind the push. A lack of focus on security could directly impact promotions, salary increases, and bonuses for Microsoft's workforce.
Microsoft essentially wants employees to do more than simply check boxes on compliance requirements. It expects employees to bake security into every aspect of their work and hold themselves accountable. All staff will need to demonstrate how they prioritized and improved security through their regular performance conversations, tracked in the company's "Connect" tool.
For those on the technical side of building products, it means security gets integrated from the initial design phase rather than tacked on as an afterthought.
It's not just developers in the crosshairs, though. Microsoft is strengthening its commitment to the "security-first mindset" across the entire workforce, regardless of role. Even executives will have specific security deliverables tied to their Connect reviews.
The stakes are high for Microsoft as it rebrands itself as a security-focused company after years of being battered by malware, vulnerabilities, and data breaches. After all, the company's software and services like Windows, Office, and Azure run mission-critical systems across enterprises and governments worldwide. Losing that trust could be catastrophic.
The new policy formalizes security as a core priority on par with Microsoft's existing mandates around diversity and inclusion.
"The Security Core Priority is not a check-the-box compliance exercise; it is a way for every employee and manager to commit to – and be accountable for – prioritizing security, and a way for us to codify your contributions and to recognize you for your impact. We all must act with a security-first mindset, speak up, and proactively look for opportunities to ensure security in everything we do."
The changes are already impacting some Microsoft products and services. Basic Authentication for personal Outlook accounts gets dropped next month in a move to push people to use Modern Authentication. Meanwhile, the lightweight Outlook web app gets retired on August 19 to eliminate any potential security risks.