Microsoft is making a significant shift in how it approaches security by integrating it into employee performance evaluations. This change, announced by Kathleen Hogan, the company’s Chief People Officer, aims to ensure that security becomes a fundamental priority for all employees.
In a recent internal memo, Kathleen Hogan emphasized that security is now a “Core Priority” for Microsoft employees. This means that security will be a key focus in performance reviews and is considered equally important as other core priorities like diversity and inclusion. Hogan’s memo made it clear: “When faced with a tradeoff, the answer is clear and simple: security above all else.” This statement reflects Microsoft’s commitment to embedding security deeply into its organizational culture.
What has changed?
Starting now, security will be a key part of how employees are evaluated. This means that how well employees focus on and improve security will be important for things like promotions, raises, and bonuses. Managers will look at employees’ security contributions when deciding on rewards and performance.
The new Security Core Priority has two main components:
- Basic security expectations: These apply to everyone at Microsoft. Every employee must consider security in their daily work and make sure they are contributing to it.
- Role-specific security goals: Employees will also set specific security goals based on their job role. This means they’ll tailor their security efforts to fit their specific duties.
For technical employees, this means including security measures right from the start when designing products. They must follow best practices and ensure products are secure by default. For those in non-technical roles, it means supporting security efforts in their work and being aware of security issues.
Employees will set their Security Core Priority during their first performance review for the fiscal year 2025 (FY25). They will discuss their progress on security goals during regular performance reviews. This new focus on security is meant to be a continuous part of their work, not just a one-time check.
Here is Hogan’s full memo:
At Microsoft, we deliver mission-critical infrastructure that the world depends on to achieve more. With that trust in us comes a great responsibility: to protect our customers, our company, and our world from cyber threats. As Microsoft employees, we all have a role in that responsibility.
As Satya referenced in his May 3 email and again during his FY25 kick off on July 9, security is our number-one priority, and everyone at Microsoft will have security as a Core Priority. When faced with a tradeoff, the answer is clear and simple: security above all else. Our commitment to security is enduring. New and novel attacks will require us to continue to learn, innovate, and defend. Yet working together, we will make nonlinear improvements, stay alert, and meet the expectations of our customers. They are counting on us, and our future depends on their trust.
Our new Security Core Priority reinforces our commitment to security and holds us accountable for building secure products and services. It is now available in the Connect tool for most employees, and we are partnering with geo HR teams to expand access to all employees globally. The Security Core Priority is not a check-the-box compliance exercise; it is a way for every employee and manager to commit to—and be accountable for—prioritizing security, and a way for us to codify your contributions and to recognize you for your impact. We all must act with a security-first mindset, speak up, and proactively look for opportunities to ensure security in everything we do.
The core priority will have two parts:
Core and common elements that apply to all employees
An optional section for employees to further specify how they will activate the Security Core Priority based on their role, team, org, etc.
All employees will set their Security Core Priority as part their first FY25 Connect, with the intent that during regular Connect conversations, you and your manager will discuss your Security Core Priority progress and impact. This process will follow the same approach as our other company-wide core priorities for Diversity & Inclusion and Managers. You can learn more about the Security Core Priority here, including FAQs and Security Core Priority activation examples for three main types of roles: technical, customer and partner-facing, and all other roles.
As we kick off our 50th year as a company, I know we all feel honored and humbled that we are still here—as a relevant and consequential company—pursuing our mission together. When we empower every person and organization on the planet to achieve more, we take on society’s biggest challenges and empower the world. What a big, bold, and meaningful mission we have, and yet none of us can take this for granted. We are here because our customers trust us, and we must continue to earn their trust every day.
Thank you for your commitment to our Security Core Priority that will help protect Microsoft, our customers, and our partners.
Kathleen
Ongoing security efforts
This new policy is part of Microsoft’s broader Secure Future Initiative (SFI), which aims to improve security across the company. Recent changes include ending support for Basic Authentication in Outlook and removing the light version of the Outlook web app. These changes require users to use Modern Authentication, which might affect some older email apps and clients.
By making security a key part of performance reviews, Microsoft aims to create a stronger focus on protecting its customers, products, and overall digital environment. As the company marks its 50th year, this change highlights how crucial security is to maintaining trust and fulfilling its mission to help people and organizations achieve more.
All images are generated by Eray Eliaçık/Bing
