Earlier this year, Microsoft announced a renewed focus on security, following years of security challenges and increasing scrutiny. Starting today, this commitment to security has been formalized by tying employee performance reviews to their security efforts.
Security as a Core Priority
In an internal memo obtained by The Verge, Kathleen Hogan, Microsoft’s Chief People Officer, made the company’s stance crystal clear. “Everyone at Microsoft will have security as a Core Priority,” Hogan stated. “When faced with a tradeoff, the answer is clear and simple: security above all else.”
This means that a lack of focus on security could now affect employees’ chances for promotions, merit-based salary increases, and bonuses. “Delivering impact for the Security Core Priority will be a key input for managers in determining impact and recommending rewards,” reads an internal FAQ on Microsoft’s new policy.
Integrating Security with Performance Reviews
Microsoft has elevated security to the same level of importance as diversity and inclusion, both of which are now mandatory topics in performance conversations, known internally as “Connects.” These discussions occur between employees and their managers and focus on agreed-upon priorities.
“It goes beyond compliance,” states Microsoft’s FAQ. “We are asking employees to prioritize security in all the work that they do and hold themselves accountable by capturing their impact whenever they complete a Connect.”
Demonstrating Security Impact
Employees must demonstrate how they’ve made significant security contributions. For technical staff, this includes incorporating security into product design processes from the outset, adhering to established security practices, and ensuring products are secure by default for Microsoft’s customers.
All Microsoft employees, including executives, are expected to use the company’s Connect tool for performance reviews. This tool includes security priorities that each employee must deliver on. As part of the Secure Future Initiative (SFI), Microsoft has already been overhauling its security measures to better protect its networks, production systems, engineering systems, and more.
Public-Facing Changes
While many of Microsoft’s internal security changes have not been public-facing, some have significantly impacted their products. For example, Microsoft will end support for Basic Authentication for Outlook personal accounts in September and remove the light version of the Outlook web application on August 19th.
Starting September 16th, Outlook.com, Hotmail, and Live.com users will need to access their email accounts through apps that use Modern Authentication, which may affect some third-party email apps and older versions of Outlook, Apple Mail, and Thunderbird.
Kathleen Hogan’s Full Memo
Here is the complete memo from Kathleen Hogan, outlining Microsoft’s new security-focused approach:
At Microsoft, we deliver mission-critical infrastructure that the world depends on to achieve more. With that trust in us comes a great responsibility: to protect our customers, our company, and our world from cyber threats. As Microsoft employees, we all have a role in that responsibility.
As Satya referenced in his May 3 email and again during his FY25 kickoff on July 9, security is our number-one priority, and everyone at Microsoft will have security as a Core Priority. When faced with a tradeoff, the answer is clear and simple: security above all else. Our commitment to security is enduring. New and novel attacks will require us to continue to learn, innovate, and defend. Yet working together, we will make nonlinear improvements, stay alert, and meet the expectations of our customers. They are counting on us, and our future depends on their trust.
Our new Security Core Priority reinforces our commitment to security and holds us accountable for building secure products and services. It is now available in the Connect tool for most employees, and we are partnering with geo HR teams to expand access to all employees globally. The Security Core Priority is not a check-the-box compliance exercise; it is a way for every employee and manager to commit to—and be accountable for—prioritizing security, and a way for us to codify your contributions and to recognize you for your impact. We all must act with a security-first mindset, speak up, and proactively look for opportunities to ensure security in everything we do.
The core priority will have two parts:
Core and common elements that apply to all employees
An optional section for employees to further specify how they will activate the Security Core Priority based on their role, team, org, etc.
All employees will set their Security Core Priority as part of their first FY25 Connect, with the intent that during regular Connect conversations, you and your manager will discuss your Security Core Priority progress and impact. This process will follow the same approach as our other company-wide core priorities for Diversity & Inclusion and Managers. You can learn more about the Security Core Priority here, including FAQs and Security Core Priority activation examples for three main types of roles: technical, customer and partner-facing, and all other roles.
As we kick off our 50th year as a company, I know we all feel honored and humbled that we are still here—as a relevant and consequential company—pursuing our mission together. When we empower every person and organization on the planet to achieve more, we take on society’s biggest challenges and empower the world. What a big, bold, and meaningful mission we have, and yet none of us can take this for granted. We are here because our customers trust us, and we must continue to earn their trust every day.
Thank you for your commitment to our Security Core Priority that will help protect Microsoft, our customers, and our partners.
Microsoft’s emphasis on security highlights its dedication to protecting its users and maintaining their trust. By making security a core priority for every employee, Microsoft aims to create a culture where security is integral to every aspect of its operations. This move is a clear signal that the company is serious about addressing security challenges head-on and setting a standard for the industry.
