COMMENTARY: For more than a decade, the reflexive corporate response to a cyberattack was simple and often shortsighted: fire the
chief information security officer (CISO) or dismantle the entire information security team (IST).
The 2019
Capital One breach, which exposed the personal data of over 100 million customers, represents a striking example. Within months of the incident,
CISO Michael Johnson was replaced, reinforcing the perception that the security leader was the natural scapegoat.
[
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
But the tide has turned. Corporate America now recognizes that cyber risk isn’t just a technical issue. It’s a core enterprise risk. And with this shift in mindset, corporate boards are increasingly understanding that accountability for protecting the business extends far beyond the CISO or IST, requiring buy-in from leadership across all functions.
It’s a positive development because the vast majority of breaches aren’t the direct result of the CISO or IST “failing” at their job. Aside from misconfigured tools or unpatched systems, attacks usually exploit the broader workforce through phishing emails, vishing calls, or sophisticated deepfakes. Other times, teams find the weakest link at the digital front door: the web-facing assets of the business itself.
A shift in accountability
With this growing awareness, organizations are changing how they approach executive accountability after a cyber incident. In recent years, there have been fewer high-profile executive terminations directly tied to cyberattacks. Instead, boards have turned to alternative mechanisms to demonstrate oversight and enforce responsibility. Increasingly, reductions in compensation, bonuses, or stock options are being used to hold corporate leaders accountable in the wake of significant cybersecurity failures.
Most recently, the board of directors at Qantas Group, Australia’s flagship airline, took the notable step of
reducing short-term compensation for the CEO and executive team in response to a cyberattack that significantly disrupted customers.
Too often, it takes a significant cyberattack to command the full attention of CEOs and senior executives. Compensation-linked incentives have emerged as one of the few proven mechanisms to generate visible executive accountability in risk management. And it’s a trend that shows no signs of slowing.
Are we on the right path?
Monetary penalties tied to cyber incidents are effective in elevating cybersecurity to the top of the corporate agenda. Faced with direct financial consequences, CEOs are far more likely to drive a cultural shift, ensuring that all executives view cyber risk as a core strategic, enterprisewide issue rather than a narrowly defined IT function.
However, boards must apply this approach with discernment. Top management must evaluate the severity, scope, and nature of an attack before financial penalties are imposed. Not all cyberattacks are created equal, nor do they always result from negligence or oversight. Some breaches stem from highly sophisticated campaigns — such as nation-state operations leveraging zero-day exploits — that can compromise even the most well-resourced and security-conscious organizations.
Without this contextual understanding, monetary consequences risk being both unfair and ineffective.
While financial accountability may elevate cybersecurity to the executive agenda, it does not, on its own, guarantee that CEOs and other leaders will fully embrace ownership of cyber hygiene and incident response. These responsibilities remain best led by the CISO and chief information officers (CIO), whose programs are specifically designed to manage and operationalize security practices across the enterprise.
Monetary penalties can compel CEOs and senior business leaders to take their own role in cyber resilience more seriously. For example, phishing awareness and cyber hygiene training — often dismissed with lip service — suddenly become more relevant when tied to personal accountability. Executives who might otherwise complain about security controls or pressure IT to grant exceptions may now finally recognize that such exceptions create prime entry points for attackers.
Moving forward, business unit leaders should model strong cybersecurity practices, and also integrate them into performance expectations for their teams. Making training actionable ensures that security becomes embedded into the culture rather than treated as a compliance checkbox.
We have to start thinking of cybersecurity as an enterprisewide responsibility, not a siloed IT issue. It’s both a team sport and, in many ways, a contact sport. Success requires active engagement from every corner of the organization, from mailroom to boardroom and boardroom to mailroom. Only when every individual and every business unit plays their part can organizations develop a truly resilient cybersecurity program.
The rise of compensation-linked accountability reflects a critical evolution in how boards and organizations treat cybersecurity. By attaching real financial consequences to cyber failures, they ensure that executives no longer dismiss cyber risk as a purely technical matter. It’s a valuable shift. It brings cybersecurity into the boardroom conversation and demands strategic attention at the highest levels.
Yet, financial penalties alone are not a cure-all. True resilience comes from embedding cybersecurity into the DNA of the organization. That requires buy-in from CEOs and senior executives, leadership from CIOs and CISOs, and commitment from every employee.
Accountability mechanisms may spark attention, but only collective engagement across the entire organization can deliver lasting protection.
James Turgal, vice president, global cyber risk and board relations, OptivSC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
