Should the salaries of CEOs be linked to how well their company has protected itself against security threats?
British MPs certainly seem to think so.
This week, a UK parliamentary report has concluded that more has to be done to ensure that sufficient steps are taken by businesses to protect against the types of threats and vulnerabilities that lead to data breaches.
And how can we feel confident that CEOs are taking the threats to their businesses seriously? Well, MPs propose that a “proportion of CEO compensation should be linked to effective cyber security”.
In other words, feeble security (such as websites riddled with simple SQL injection vulnerabilities) should lead to a CEO’s pay packet being slashed.
Furthermore, the parliamentary report calls for a sliding scale of fines to be introduced, punishing businesses who haven’t taken their security seriously, and put innocent customers’ at risk:
“The ICO should introduce a series of escalating fines, based on the lack of attention to threats and vulnerabilities which have led to previous breaches. A data breach facilitated by a ‘plain vanilla’ SQL attack, for example, or continued vulnerabilities and repeated attacks, could thus trigger a significant fine. We were also surprised that there is no requirement to make security a major consideration in the design of new IT systems and apps. We therefore recommend that security by design should be a core principle for new system and apps development and a mandatory part of developer training, with existing development staff retrained as necessary.”
The report, compiled by the Department of Culture, Media and Sport select committee in the aftermath of the notorious TalkTalk hack of last October, couldn’t have come at a better time.
Because this week TalkTalk revealed that its CEO Dido Harding has received £2.8 million in pay and share bonuses.
That’s a large amount of money by anyone’s standards, but is especially generous when you consider that hundreds of thousands of customers having their details hacked, and the telecoms firm seeing its profits plunge 56%, and with the hack costing its business £42 million.
And one has to wonder how TalkTalk’s compensation of its CEO sits in line with the proposal of linking pay to effective cyber security.
After all, what was particularly bad about the TalkTalk hack was not just that it appears to have been made possible through an elementary SQL injection attack, but also that it was the third time in a year that the telecoms firm had suffered a data breach.
Harding, who is a member of the House of Lords, whose husband is a Conservative MP, and who went to university with Prime Minister David Cameron, says she will donate her £220,000 cash bonus to charity:
"Throughout the cyber attack, we worked hard to put our customers first, and we know that they have appreciated our efforts and our honesty throughout.
"Nevertheless, last October was a challenging period for TalkTalk and its customers and, in recognition of that, I have made a personal decision to donate my bonus to our charity partner, Ambitious About Autism."
We shouldn’t forget that the real villains behind any cyber attack are the perpetrators who launch it. Although a number of teenagers have been arrested in relation to the TalkTalk data breach, as yet none have been charged.
Nonetheless, the public is putting its trust in big businesses to protect their data effectively, and unless CEOs wake up to the importance of computer security we are going to see more and more damaging data breaches in the future.
If that means that CEOs need to feel the pain where it will hurt them most – in the pocket – then so be it.
Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats. Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.View all posts
Don’t miss out on exclusive content and exciting announcements!