Should C-level Bonuses Be Tied To Cybersecurity Posture?

The cybersecurity catch-22 – have you run across it? This is where, for example, you’ve found a vulnerability in a product, and you inform the affected company in a responsible way, but you never receive a response.

Or perhaps you work in the development team, and really want your employers to give you the resources you need to address a security flaw, only to see your requests shoved aside to focus on new, sexier features.

There is one group that faces this quandary all the time, and that’s the IT team. Every time they have a budget or priority meeting, someone will pipe up about the need to focus on repair work to improve the security of current services. Unfortunately, this person is often drowned out by other team members wanting to focus on exciting new services.

It’s frustrating at the best of times, but imagine how you would feel if your security recommendation was deemed untimely or too costly for implementation, and then the company gets hit by a threat that would have been thwarted had your defense strategy been adopted.

When a typical malicious threat hits a corporate network, it’s painful for a lot of different people. The internal teams struggle to contain and then mitigate the threat, those whose data has been compromised need to be informed and apologized to, shareholders get twitchy – all in all, it can be a nightmare scenario.

Take the attack on Disney’s Pirates of the Caribbean film in Spring 2017.  

This was the one where hackers claimed to have stolen the much-awaited Disney film and held it for ransom. They claimed that if they did not receive the ransom payment in a timely manner, they would leak the film online. Hackers threatened to release five minutes of the film, and later 20-minute segments, unless a bitcoin ransom was paid.

This type of attack, of which there are many variants, underscores the vulnerabilities media companies must address in the digital era. And, let’s face it, any company could be threatened in a similar manner. All it takes is getting your hands on something of value to an organization and then dangling it enticingly to reap a reward.

Should the C-level be dinged for cyber incidents?

But a new approach to ensuring security gets the priority it deserves is being hotly debated in the Disney Board Room.

As published by Secure World Expo, page 68 of Walt Disney’s annual report has a bit that says the company wants to assess “the feasibility of integrating additional cyber security and data privacy metrics into the performance measures of senior executives under Disney’s compensation incentive plans.”

Well, there is a grand idea. Imagine that senior staffers could be held accountable for failing to properly secure a digital environment.

On one hand, it would help solve the frustrations we talked about at the top of this article. Gone would be the CEO who poo poos the idea of fixing a vulnerability. Gosh – perhaps responsible bug finders would even be commended, rather than ignored.

And it would probably help build trust between the customer and the big corporations. The fact that top dog bonuses are tied to the resiliency of the network would give me a cosy blanket of additional assurance. I think I’d like to know whether the big honchos are financially incentivized to protect my sensitive information.

But it is also great for stakeholders and shareholders, people or firms that are funding the efforts of said company. They may not necessarily have operation veto rights. Stakeholders can lose their shirts if a company is pulled under by a nasty attack, so again, this bonus-related metric is attractive to that audience as well.

And yet. I see one big problem. Sometimes, threats hit because a single employee makes a mistake, trusts the wrong person, or gets duped by a sophisticated social engineering trick.

Sometimes, no matter how resilient your defenses, a targeted attack intent on accessing and compromising a network is successful. In other words, there is an element of luck, or of being in the wrong place at the wrong time.

However, bonuses for employees are largely based on forces outside the worker’s control. If you are in retail and there is a recession, your bonus will be impacted. If you are in technology and sales are low due to a competitor’s edge, your bonus reflects it.

With that in mind, perhaps it is a wise decision to consider tying top tier bonuses to the overall digital health of the firm. Perhaps it will make the whole system more honest. Like the farmer whose crops are wiped out one year by a freak storm, the same fate maybe should be faced by those in expensive suits.

Of course, these are not the only incentive schemes being introduced. There are also anti-discriminatory bonus schemes to ensure appropriate diversity with an organization. Microsoft, for instance, is one company that reportedly looked into this type of bonus structure.

“Many of these bonus programs are in the initial stages so it is too early to draw any definitive conclusions on their effectiveness. But these developments bear close attention and it will be very interesting to see the results, as well as other initiatives that may flow from these ideas,” writes litigator and Forbes contributor Eric Bachman of anti-discriminatory bonuses, and perhaps the same can be said for cyber-incident related bonuses.

In other words, it is early days, but this type of lateral thinking feels like the right thing to seriously explore. We need a way to rebuild trust in companies that treat their systems and their data (much of which belongs to individuals like you and me) with the very best of care and consideration. Having a proportion of a bonus tied to these efforts may be a way to take a step in the right direction.

We’re here to help.

Want some advice on your firm”s cybersecurity posture? Get in touch with TBG Security. From pen tests to securing the blockchain, and from compliance to CISOs on demand, we are here to help.

Previous ArticleHow the US government shutdown damages cybersecurity for everybody Next ArticleDevSecOps: an intro on why you need it