Connect with us

Published

on

Microsoft has come under fire recently from both the U.S. government and rival companies for its failure to stop a Chinese hack of its systems last summer. One change the tech giant is making in response: linking executive compensation more closely to cybersecurity.

In April, a government review board described a hack of Microsoft last summer attributed to China as “preventable.” The U.S. Department of Homeland Security’s Cyber Safety Review Board pointed to “a cascade of errors” and a corporate culture at Microsoft “that deprioritized enterprise security investments and rigorous risk management.”

Competitors have taken advantage of the cyber lapse, with Google publishing a blog post this week highlighting the government findings and noting, “The CSRB report also highlights how many vendors, including Google, are already doing the right thing by engineering approaches that protect against tactics illustrated in the report.” 

CrowdStrike prominently displays the government conclusions on its site.

Nation-state attacks from China and Russia are increasing, and targeting corporations across the economy, as well as the U.S. government and social infrastructure. Microsoft has been a very big target, including hacks by Russia and China. There is growing pressure from the U.S. government for the company to improve its cybersecurity protocols, with its top corporate lawyer, Brad Smith, being called to testify on Capitol Hill.

Microsoft is in damage control mode. After a hack of executive email accounts in January attributed to Russian hackers, the company disclosed the incident in compliance with new federal cybersecurity disclosure rules, even though technically it was not a “material” hack that it was required by law to share, leading to discussion at other firms about where to draw the line on the new disclosure. The decision by Microsoft to link executive compensation to successful cybersecurity performance is another is prompting discussions at other firms. 

Microsoft launched its Secure Future Initiative in November, and earlier this month, the company outlined in a blog post from Charlie Bell, executive vice president of Microsoft Security, that as part of its SFI goals it will “instill accountability by basing part of the compensation of the company’s Senior Leadership Team on our progress in meeting our security plans and milestones.”

A Microsoft spokesperson declined to provide specifics on the compensation, but said as a company which plays a central role in the world’s digital ecosystem, it has a “critical responsibility” to make cybersecurity a top priority. It is part of the company’s “important governance changes [made] to further support a security-first culture,” the spokesperson said. 

Companies often provide more details, though often only limited details, on executive compensation performance targets in annual meeting proxies, which in Microsoft’s case was last held in December 2023.

Cybersecurity as a core corporate risk and bonus metric

It has become more common for corporations to tie a percentage of annual executive bonus payouts to various goals that go beyond meeting sales and profit targets. In recent years, many Fortune 500 companies, including Apple, have added bonus pay tied to ESG metrics. Risk management and safety goals have long been a part of executive compensation, dating back to an era before the rise of ESG — for example, mining and energy companies, as well as manufacturers and industrials, tying bonuses to environmental and worker safety.

The conversations about cybersecurity-linked executive pay have started taking place at other companies since Microsoft made its move, according to Aalap Shah, managing director at executive compensation consultant Pearl Meyer. It’s not prevalent as a compensation practice today, he said, but he added, “post-Microsoft’s announcement, I’ve gotten phone calls asking, ‘Should we do it? Would it work?’ … These conversations are very similar to the ones we were having a few years ago with ESG metrics and a significant percentage of companies adopted them.”

Shah said there is a case to be made that cybersecurity is a core issue that can be equated to mining or industrial safety. But there’s a big difference between a business in cybersecurity and, for example, a retailer, in making this case. And even in industries beyond technology and cybersecurity where keeping data secure is a core issue, such as financial services and health care — which have been targets of high-profile hacks — it’s not a clear case yet to tie executive compensation of the most senior people, such as a chief financial officer or general counsel, to cybersecurity, versus the chief information security officer or chief technology officer, specifically.

Tying pay to hacks is a ‘good place to start’

Some firms will make the case that cybersecurity is already ingrained in their culture and such a move would be redundant, but with the escalation in hacking threats and increased importance of cybersecurity spending to the bottom line of companies like Microsoft, this new executive pay metric may be overdue.

Making executive compensation contingent, to some degree, on meeting cybersecurity aims is a good place to start instilling a security culture at the top of the corporate hierarchy that is fundamental to success, according to experts. 

“The most important message being sent internally and externally is it’s very important to their culture and more and more companies will follow suit, regardless of whether the gain is significant,” Shah said. “What they want to do is make sure it is becoming ingrained culturally, and the path to do that is by linking it to compensation.”

“Cybersecurity has to be in the culture of the organization,” said Stuart Madnick, professor of information technology at MIT. But prioritizing security can be difficult within a corporation, Madnick said, because it often means putting money into places that aren’t clearly reflected on the bottom line. “Corporate culture prioritizes other things over security and risk management,” Madnick said. “How do you know how secure you are? Maybe no one is targeting you at the time. But if you increase sales by 20%, that’s money in the bank.”

Madnick’s research shows that gaps in corporate culture are often culprits in high-profile hacks, not just the Microsoft example. Prevention, he says, is as much about foresight as hindsight. In a recent article, he cited MIT studies on Equifax and Capital One security breaches of recent years as other prominent examples. “While some risks are true surprises unlikely to be recognized in advance, many are more like the burglar alarm known to be defective,” he said.

Equifax and Capital One did not respond to requests for comment.

Madnick described the corporate mentality as most often “systematic, semi-conscious decision making.” That means management decisions are made without analyzing the cyber risks that are being introduced by the decision. Tying executive compensation to security aims won’t necessarily mean that approach evaporates from a corporate culture, but he said it has symbolic resonance, and from that symbolic register, the practical may indeed follow.

‘An annoyance and a profit center’

For Microsoft, the stakes are higher than for most organizations. Its platforms and systems are so omnipresent — in business and government — that it’s essentially impossible to live without it. “There’s no alternative to Microsoft, from a productivity standpoint. You have to do insane things to try to work without it,” said Ryan Kalember, executive vice president of cybersecurity strategy at cybersecurity vendor Proofpoint.

Adding to the complexity of Microsoft’s unavoidability, he said, is the layered nature of its platforms, in which succeeding iterations are often buttressed by legacy applications stretching back to the 90s, before security threats remotely resembling what now exists.

The U.S. government has called on the largest, and oldest, tech companies to update systems that both businesses and consumers rely on. Last year, Cybersecurity and Infrastructure Security Agency director Jen Easterly said in a CNBC interview that cybersecurity is consumer safety, and compared it to automotive regulations. “Technology companies who for decades have been creating products and software that are fundamentally insecure need to start creating products that are secure by design and secure by default with safety features baked in,” she said. 

Legacy platforms are far easier to plug into and build on rather than deploying a new system entirely, but “it’s a security nightmare,” Kalember said. “One MS365 for everybody from the State Department to Joe’s Crab Shack is a fine business model, it just doesn’t lend itself well to traditional security measures.”

The architectural principles built into some of these legacy systems were designed “when ransomware was really a thing that simply didn’t exist – except on floppy disks,” he said. This has led to the company accruing massive amounts of what is called “technical debt” — decades of it — that can be abused by nation-stated and allow foreign intelligence agencies “to steal anything they want,” he added. 

Microsoft is caught between two competing impulses, with security “a combination of an annoyance and a profit center,” Kalember said. It’s a profit center because Microsoft is the world’s largest cybersecurity vendor, reaching $20 billion in annual revenue last year. That makes the compensation move “a good gesture,” he said, but he added, “without specifics behind it, it’s very difficult to assess.” 

No details on how Microsoft pay will be influenced

The lack of details on the compensation formula makes it impossible to properly evaluate the incentive. Many companies that adopted ESG metrics did so only in the bonus portion of executive pay, not the long-term incentive plan, which is much more significant. “That’s putting your money where your mouth is,” Shah said.

A bonus may comprise, on average, 20% of executive pay, and within the bonus pool specifically, non-core financial metrics such as ESG only contribute 20% of a potential total bonus payout. “When you have 20% of overall [bonus] compensation and divvy it up into a few different metrics, how much are you really tying something like cyber to it?” Shah said.

Long-term incentive plans tied to equity grants, especially in tech, are where the real money is made, and that’s where these types of non-core financial metrics are low in prevalence. That would be the ideal place within a compensation plan to set pay against long-term cybersecurity and corporate goals, but it is difficult for firms to conceive of two-to-three year goals related to cybersecurity, consumer privacy and data breaches that can be measured like sales and profit. “It will be a challenge,” Shah said. “Is it the number of incidents? The caution I have is the same as with ESG: you want to make sure not only the relevance is there, but you also want to make sure there are quantifiable goals. In a rush to adopt, if it’s subjective, then it is less meaningful for shareholders.”

Boards of directors already have the discretion to hold executives accountable each year and decide to do downward adjustments on bonuses, based on performance, including data breaches. To date, this type of bonus incentive/punishment has been mostly limited to chief information security officers, according to Mike Doonan, managing director at SPMB, an executive search firm where he specializes in technology. In his view, it’s an imperfect comparison to look at the history of bonus pay tied to metrics such as worker safety, since many hacks occur due to third-party vulnerabilities, which are often beyond the company’s direct control. But Doonan said he could see this type of executive incentive being adopted more broadly, “because it’s good PR to say security is a top priority across the entire executive suite, and it might result in improvements.” But he thinks there is an even better way to shore up corporate defense: “saving the bonus pool and investing those dollars into security programs.”

Continue Reading

Technology

Silicon Valley’s early return on Trump investment: Plunging valuations, delayed IPOs

Published

on

By

Silicon Valley's early return on Trump investment: Plunging valuations, delayed IPOs

The Nasdaq MarketSite in New York, June 9, 2023.

Michael Nagle | Bloomberg | Getty Images

Silicon Valley executives and financiers publicly opened their wallets in support of President Donald Trump’s 2024 presidential run. The early returns in 2025 aren’t great, to say the least.

Following Trump’s sweeping tariff plan announced Wednesday, the Nasdaq suffered steep consecutive daily drops to finish 10% lower for the week, the index’s worst performance since the beginning of the Covid pandemic in 2020.

The tech industry’s leading CEO’s rushed to contribute to Trump’s inauguration in January and paraded to Washington, D.C., for the event. Since then, it’s been a slog.

The market can always turn around, but economists and investors aren’t optimistic, and concerns are building of a potential recession. The seven most valuable U.S. tech companies lost a combined $1.8 trillion in market cap in two days.

Apple slid 14% for the week, its biggest drop in more than five years. Tesla, led by top Trump adviser Elon Musk, plunged 9.2% and is now down more than 40% for the year. Musk contributed close to $300 million to help propel Trump back to the White House.

Nvidia, Meta and Amazon all suffered double-digit drops for the week. For Amazon, a ninth straight weekly decline marks its longest such losing streak since 2008.

With Wall Street selling out of risky assets on concern that widespread tariff hikes will punish the U.S. and global economy, the fallout has drifted down to the IPO market. Online lender Klarna and ticketing marketplace StubHub delayed their IPOs due to market turbulence, just weeks after filing with the Securities and Exchange Commission, and fintech company Chime is also reportedly delaying its listing.

CoreWeave, a provider of artificial intelligence infrastructure, last week became the first venture-backed company to raise more than $1 billion in a U.S. IPO since 2021. But the company slashed its offering, and trading has been very volatile in its opening days on the market. The stock plunged 12% on Friday, leaving it 17% above its offer price but below the bottom of its initial range.

“You couldn’t create a worse market and macro environment to go public,” said Phil Haslett, co-founder of EquityZen, a platform for investing in private companies. “Way too much turbulence. All flights are grounded until further notice.”

CoreWeave investor Mark Klein of SuRo Capital previously told CNBC that the company could be the first in an “IPO parade.” Now he’s backtracking.

“It appears that the IPO parade has been temporarily halted,” Klein told CNBC by email on Friday. “The current tariff situation has prompted these companies to pause and assess its impact.”

Tech will see an 'economic armageddon' if these tariffs stay, says Wedbush's Dan Ives

‘Cave rapidly’

During last year’s presidential campaign, prominent venture capitalists like Marc Andreessen backed Trump, expecting that his administration would usher in a boom and eliminate some of the hurdles to startup growth set up by the Biden administration. Andreessen and his partner, Ben Horowitz, said in July that their financial support of the Trump campaign was due to what they called a better “little tech agenda.”

A spokesperson for Andreessen Horowitz declined to comment.

Some techies who supported Trump in the campaign have taken to social media to defend their positions.

Venture capitalist Keith Rabois, a managing director at Khosla Ventures, posted on X on Thursday that “Trump Derangement Syndrome has morphed into Tariff Derangement Syndrome.” He said tariffs aren’t inflationary, are effective at reducing fentanyl imports, and he expects that “most other countries will cave and cave rapidly.”

That was before China’s Finance Ministry said on Friday that it will impose a 34% tariff on all goods imported from the U.S. starting on April 10.

At Sequoia Capital, which is the biggest investor in Klarna, outspoken Trump supporter Shaun Maguire, wrote on X, “The first long-term thinking President of my lifetime,” and said in a separate post that, “The price of stocks says almost nothing about the long term health of an economy.”

However, Allianz Chief Economic Advisor Mohamed El-Erian warned on Friday that Trump’s extensive raft of import tariffs are putting the U.S. economy at risk of recession.

“You’ve had a major repricing of growth prospects, with a recession in the U.S. going up to 50% probability, you’ve seen an increase in inflation expectations, up to 3.5%,” he told CNBC’s Silvia Amaro on the sidelines of the Ambrosetti Forum in Cernobbio, Italy.

Former Microsoft CEOs Bill Gates, left, and Steve Ballmer, center, pose for photos with CEO Satya Nadella during an event celebrating the 50th Anniversary of Microsoft on April 4, 2025 in Redmond, Washington. 

Stephen Brashear | Getty Images

Meanwhile, executives at tech’s megacap companies were largely silent this week, and their public relations representatives declined to provide comments about their thinking.

Microsoft CEO Satya Nadella was in the awkward position on Friday of celebrating his company’s 50th anniversary at corporate headquarters in Redmond, Washington. Alongside Microsoft’s prior two CEOs, Bill Gates and Steve Ballmer, Nadella sat down with CNBC’s Andrew Ross Sorkin for a televised interview that was planned well before Trump’s tariff announcement.

When asked about the tariffs at the top of the interview, Nadella effectively dodged the question and avoided expressing his views about whether the new policies will hamper Microsoft’s business.

Ballmer, who was succeeded by Nadella in 2014, acknowledged to Sorkin that “disruption is very hard on people” and that, “as a Microsoft shareholder, this kind of thing is not good.” Ballmer and Gates are two of the 12 wealthiest people in the world thanks to their Microsoft fortunes.

C-suites may not be able to stay quiet for long, especially if the recent turmoil spills into next week.

Lise Buyer, who previously helped guide Google through its IPO and now works as an adviser to companies going public, said there’s no appetite for risk in the market under these conditions. But there is risk that staffers get jittery, and they’ll surely look to their leaders for some reassurance.

“Until markets settle out and we have the opportunity to access valuation levels, public company CEOs should work to calm potentially distressed employees,” Buyer said in an email. “And private company managements should refine plans to get by on dollars already in the treasury.”

— CNBC’s Hayden Field, Jordan Novet, Leslie Picker, Annie Palmer and Samantha Subin contributed to this report.

WATCH: Chime is reportedly delaying its IPO

Chime is reportedly delaying its IPO

Continue Reading

Technology

Tesla’s June robotaxi deadline looms as political backlash builds over Elon Musk

Published

on

By

Tesla's June robotaxi deadline looms as political backlash builds over Elon Musk

Elon Musk has been promising investors for about a decade that Tesla’s cars are on the verge of turning into robotaxis, capable of driving themselves cross-country, after one big software update.

That hasn’t happened yet.

What Tesla offers is a sophisticated, but only partially automated, driving system that’s marketed in the U.S. as its Full Self-Driving (Supervised) option, though many Tesla fans refer to it as FSD. In China, Tesla recently changed the system’s name to “intelligent assisted driving.”

Full Self-Driving, as it was previously called, relies on cameras and software to enable features like automatic navigation on highways and city streets, or automatic braking and slowing in response to traffic lights and stop signs.

Tesla owner’s manuals warn users that FSD “is a hands-on feature” that requires them to pay attention to the road at all times. “Keep your hands on the steering wheel at all times, be mindful of road conditions and surrounding traffic,” the manuals say.

But many of Tesla’s customers ignore the fine print and use the system hands-free anyway.

Tesla’s partially automated driving systems have been a source of inspiration for its stalwart fans. But they’ve also caused controversy and concern for public safety after reports of injurious and fatal collisions where Tesla’s standard Autopilot or premium FSD systems were known to be in use.

FSD does a lot of things “amazingly well,” said Guy Mangiamele, a professional test driver for automotive consulting firm AMCI Testing, during a recent long drive in Los Angeles. But he added that “the times that it trips up, you could kill somebody or you could hurt yourself.”

The pressure has never been higher on Tesla to elevate the technology and deliver on Musk’s long-delayed promises.

The Tesla CEO is the wealthiest person in the world and was the biggest financial backer of President Donald Trump’s 2024 campaign. Since Trump’s January inauguration, Musk has been leading the administration’s Department of Government Efficiency effort to drastically slash the federal workforce and government spending.

The DOGE team has been connected to more than 280,000 layoff plans for federal workers and contractors impacting 27 agencies over the last two months, according to data tracked by Challenger Gray, the executive outplacement firm.

Musk’s work with DOGE – along with his frequently incendiary political rhetoric and endorsement of Germany’s far-right, anti-immigrant party AfD – has led to a tremendous backlash against Tesla.

Protests, boycotts and even criminal acts of vandalism have targeted the electric vehicle maker in recent months and led many prospective Tesla customers to turn to other brands. Meanwhile, existing Tesla owners have been trading in their EVs at record levels, according to data from Edmunds.

Tesla’s stock dropped 36% through the first three months of 2025, representing its steepest decline since 2022 and third-biggest slide for any quarter since the EV maker went public in June 2010. Tesla also reported 336,681 vehicle deliveries in the first quarter of 2025, a 13% decline from the same period a year ago.

Product unveilings and a “robotaxi launch” expected from Tesla in Austin, Texas, this year could revitalize investors’ sentiment about the company and hopefully lift its share price, Piper Sandler analysts wrote in a note following the worse-than-expected deliveries report.

On Tesla’s last earnings call, Musk promised investors that Tesla will finally start its driverless ride-hailing service in Austin in June.

To see whether the company’s FSD technology is anywhere close to a robotaxi-ready release, CNBC spent months riding along with Tesla owners who use Full Self-Driving (Supervised) and speaking with automotive safety experts about their impressions.

Auto-tech enthusiast and Tesla owner Chris Lee, host of the YouTube channel EverydayChris, told CNBC that Tesla’s system “definitely has a ways to go, but the fact that it’s able to go from where it was three years ago to today, is insane.”

Many experts, including Telemetry Vice President of Market Research Sam Abuelsamid, remain skeptical. There’s been “no evidence” that FSD is “anywhere close to being ready to be used in an unsupervised form” by June, said Abuelsamid, whose firms specializes in automotive intelligence.

Tesla FSD will “often work really well, particularly in daytime conditions” but then “randomly, in a scenario where it did fine previously, it will fail,” said Abuelsamid, adding that those scenarios can be unpredictable and dangerous.

Watch the video to learn more about the evolution of Tesla’s Full Self-Driving (Supervised) and whether it will be robotaxi-ready this June.

Continue Reading

Technology

Microsoft AI chief Suleyman sees advantage in building models ‘3 or 6 months behind’

Published

on

By

Microsoft AI chief Suleyman sees advantage in building models ‘3 or 6 months behind’

Microsoft owns lots of Nvidia graphics processing units, but it isn’t using them to develop state-of-the-art artificial intelligence models.

There are good reasons for that position, Mustafa Suleyman, the company’s CEO of AI, told CNBC’s Steve Kovach in an interview on Friday. Waiting to build models that are “three or six months behind” offers several advantages, including lower costs and the ability to concentrate on specific use cases, Suleyman said.

It’s “cheaper to give a specific answer once you’ve waited for the first three or six months for the frontier to go first. We call that off-frontier,” he said. “That’s actually our strategy, is to really play a very tight second, given the capital-intensiveness of these models.”

Suleyman made a name for himself as a co-founder of DeepMind, the AI lab that Google bought in 2014, reportedly for $400 million to $650 million. Suleyman arrived at Microsoft last year alongside other employees of the startup Inflection, where he had been CEO.

More than ever, Microsoft counts on relationships with other companies to grow.

It gets AI models from San Francisco startup OpenAI and supplemental computing power from newly public CoreWeave in New Jersey. Microsoft has repeatedly enriched Bing, Windows and other products with OpenAI’s latest systems for writing human-like language and generating images.

Microsoft’s Copilot will gain “memory” to retain key facts about people who repeatedly use the assistant, Suleyman said Friday at an event in Microsoft’s Redmond, Washington, headquarters to commemorate the company’s 50th birthday. That feature came first to OpenAI’s ChatGPT, which has 500 million weekly users.

Through ChatGPT, people can access top-flight large language models such as the o1 reasoning model that takes time before spitting out an answer. OpenAI introduced that capability in September — only weeks later did Microsoft bring a similar capability called Think Deeper to Copilot.

Microsoft occasionally releases open-source small-language models that can run on PCs. They don’t require powerful server GPUs, making them different from OpenAI’s o1.

OpenAI and Microsoft have held a tight relationship shortly after the startup launched its ChatGPT chatbot in late 2022, effectively kicking off the generative AI race. In total, Microsoft has invested $13.75 billion in the startup, but more recently, fissures in the relationship between the two companies have begun to show.

Microsoft added OpenAI to its list of competitors in July 2024, and OpenAI in January announced that it was working with rival cloud provider Oracle on the $500 billion Stargate project. That came after years of OpenAI exclusively relying on Microsoft’s Azure cloud. Despite OpenAI partnering with Oracle, Microsoft in a blog post announced that the startup had “recently made a new, large Azure commitment.”

“Look, it’s absolutely mission-critical that long-term, we are able to do AI self-sufficiently at Microsoft,” Suleyman said. “At the same time, I think about these things over five and 10 year periods. You know, until 2030 at least, we are deeply partnered with OpenAI, who have [had an] enormously successful relationship for us.

Microsoft is focused on building its own AI internally, but the company is not pushing itself to build the most cutting-edge models, Suleyman said.

“We have an incredibly strong AI team, huge amounts of compute, and it’s very important to us that, you know, maybe we don’t develop the absolute frontier, the best model in the world first,” he said. “That’s very, very expensive to do and unnecessary to cause that duplication.”

WATCH: Microsoft Copilot beginning of a seismic shift in AI integration, says Microsoft AI CEO Suleyman

Continue Reading

Trending