Industry experts were generally pleased to read in the press Friday that Qantas Airways trimmed the bonus of CEO Vanessa Hudson by $250,000 to $4.09 million following a cybersecurity incident over the summer.The leading Australian airline confirmed July 2 that it experienced a cyberattack on a third-party customer service platform in one its call centers that affected nearly 6 million customer accounts.“The last headline I can recall about a CEO being held responsibility for a breach dates back to the Target breach in 2013 when the CEO was forced to step down the following year,” said John Watters, managing partner and CEO at iCOUNTER. “ It will certainly be interesting to see if this is a once-a-decade event, or if it becomes the norm moving forward.”Dave Gerry, chief executive officer at Bugcrowd, pointed out that it’s often easy to point the finger at the various technology teams — including the CISO. But the reality is that the accountability for funding, prioritizing and evangelizing security practices sits with the CEO and senior leadership team.
“Demonstrating that there’s a financial impact for the CEO sends a clear message to shareholders that cybersecurity is a business enabler, protecting customers data is of paramount importance, and the CEO is taking ownership of ensuring that the business does everything possible to uphold the trust placed in them by their customers,” said Gerry.Lawrence Pingree, vice president of technical marketing at Dispersive, added that there's been quite a bit of controversy around punishing security staff. In most organizations, Pingree said the CISO and staff are overwhelmed by data, change and threat actor maneuvers, so much so that getting punished seems very contrary.“These are the people who are generally trying to get executives and non-security staff to adhere to standards, regulations, mandates and security requirements,” said Pingree. “Shifting the burden to the executive team and boards at least puts more emphasis on the person or persons actually in control of the application of many security mandates.”John Carberry, solution sleuth at Xcape Inc., said reducing executive bonuses following a security breach demonstrates responsibility, but a 15% reduction is largely symbolic rather than impactful. Carberry said to make a significant difference, companies need to integrate security into performance measures — such as lowering vulnerabilities or enhancing response times — instead of relying on penalties applied after the fact.“Such reactive measures will do nothing to protect an organization’s information assets,” said Carberry. “The only way that we, as an industry, will gain traction against the adversary is to stop treating cyber security as a cost center and spend proactively on internal security teams.”
“Demonstrating that there’s a financial impact for the CEO sends a clear message to shareholders that cybersecurity is a business enabler, protecting customers data is of paramount importance, and the CEO is taking ownership of ensuring that the business does everything possible to uphold the trust placed in them by their customers,” said Gerry.Lawrence Pingree, vice president of technical marketing at Dispersive, added that there's been quite a bit of controversy around punishing security staff. In most organizations, Pingree said the CISO and staff are overwhelmed by data, change and threat actor maneuvers, so much so that getting punished seems very contrary.“These are the people who are generally trying to get executives and non-security staff to adhere to standards, regulations, mandates and security requirements,” said Pingree. “Shifting the burden to the executive team and boards at least puts more emphasis on the person or persons actually in control of the application of many security mandates.”John Carberry, solution sleuth at Xcape Inc., said reducing executive bonuses following a security breach demonstrates responsibility, but a 15% reduction is largely symbolic rather than impactful. Carberry said to make a significant difference, companies need to integrate security into performance measures — such as lowering vulnerabilities or enhancing response times — instead of relying on penalties applied after the fact.“Such reactive measures will do nothing to protect an organization’s information assets,” said Carberry. “The only way that we, as an industry, will gain traction against the adversary is to stop treating cyber security as a cost center and spend proactively on internal security teams.”
