Analysis: MPs have recommended CEO salaries to be linked to cyber security – but are they missing a wider management problem in cyber security?
MPs have this week set out a series of recommendations for companies who fail to guard against cyber attacks and data breaches. One of the most talked about recommendations from the Culture, Media and Sport Committee concerned the salary of CEOs, specifically that salaries of the top brass should be linked to effective cyber security.
This move by the government to enforce a firmer hand in cyber security has been generally welcomed by the security industry, with all but some agreeing that the buck stops at the CEO. They are the leader, the one at the top, after all. However, the issue of penalties and salaries linked to cyber security has divided the security industry.
On one hand, as Chris Wysopal, CTO and co-founder at Veracode, argues: "CEO’s are ultimately responsible for a data breach. Cyber security in an organisation-wide problem and not one that can be solved by a CISO or CIO alone. The CEO needs to prioritise the protection of customer data and engage the entire leadership team of an organisation in order for cyber security to be effective."
While others, like Javvad Malik, Security Advocate at AlienVault, believe it is wrong to blame one individual for security failings, saying:
"Whilst a CISO (chief information security officer) or similar may be accountable for security, its impact spans across the company. The CEO is responsible for the business as a whole and its performance. Security forms a part of that, and shouldn’t be treated differently in that regard. CEO’s are often held accountable and even fired for poorly performing businesses – the reasons behind a poorly performing business may or may not be linked to security.
"I feel it’s wrong to simply attribute a single security incident to a CEO and impose financial penalties upon the individual."
While the CEO is always going to be in the crosshairs of blame for when it all goes wrong, they are rarely a cyber security professional. This is when the CEO needs to take his or her power over spend and hiring in order to appoint, as Orlando Scott-Cowley, cyber security strategist at Mimecast says, ‘trusted lieutenants’ to run the security.
"The lack of appointed CISOs highlights how businesses are just not being serious about the risks they’re facing, and are sitting on their hands. Ultimately the CEO is responsible, but he or she should delegate the task of cyber security to the CISO or CSO, in the same way the CFO handles financial matters.
"It’s the CEO’s responsibility to lead the company, and his or her trusted lieutenants should be made up of the usual suspect and a CISO. Failing to appoint any one of the CxO suite should result in consequences."
Looking past the c-suite, it could be argued that cyber security concerns everyone in the organisation – but again, the right attitude needs to come from the key executives at the top.
Mark Logsdon, cyber resilience expert at AXELOS, said: "To be effective, cyber resilience must involve all people in an organisation. Successful cyber breaches are usually caused by the unwitting actions of a member of staff – and so minimising that risk through effective education and ongoing learning must be an essential part of achieving effective cyber resilience.
"However, it is vital that the board sets the right ‘tone from the top’, being aware of particular cyber risks and vulnerabilities, asking the right questions and helping drive and action the necessary programmes designed to support their chosen risk strategy."
Ultimately, are CEO’s to blame for cyber security failings? Yes and no. A CEO cannot be blamed for a cyber attack hitting a company, but they can be blamed for not having the right personnel, expertise, technology, strategy and company-wide education in place to deter and minimise the impact of an attack or data breach. For Mark James, Security Specialist at ESET, the question of who to blame should not even be asked at all.
"Certainly CEOs should be accountable but only to the degree they would be accountable for any other failing within the organisation. Ultimately they have the power to make decisions on where spending and expertise is placed to protect the company as a whole and keeping our data safe should be a major concern if they are entrusted by us to do so.
"However, the question should be "have they taken enough preventative measures?" not "who’s to blame?" Finding out what went wrong, how it can be stopped in future and finding ways to better protect us, the users, are the key points that need addressing."