Should C-Level Bonuses Be Linked to Cybersecurity Success?

MPs suggested bonuses should be slashed for CEOs whose firms were hit by cyber-attacks. Sooraj Shah asks whether that’s fair

Computer scientist Gerald Weinberg once said that blame flowing upwards in an organization proves that superiors can take responsibility for their orders to their inferiors, while blame flowing downwards, from management to staff, indicates organizational failure.

In an ideal organization, there would be no blame culture at all – but the responsibility Weinberg refers to would remain. With cybersecurity, that responsibility comes down to the CEO. A recent survey conducted by insurance provider Lloyds found that 55% of British CEOs drive the decisions regarding protection against, and planning for, a data security breach. Matthew Webb, group head of cyber at Lloyd’s syndicate Hiscox, believes this could be “almost treble” the number of CEOs taking responsibility compared to five years ago.

However, in a bid to increase the awareness and importance of cybersecurity in the boardroom further, MPs of the Culture, Media and Sport Committee have suggested that “a portion of CEO compensation should be linked to effective cybersecurity, in a way to be decided by the board.”

The Committee’s recommendations were detailed in a report which was released just after TalkTalk CEO Dido Harding saw her performance pay slashed by more than a third to £220,000 as a result of the catastrophic data breach the company suffered last year.

While it makes sense for organizations to take more interest and care over their cybersecurity operations, is it really feasible to link the pay packets of CEOs, or indeed any other employees that deal with IT security, to how well the cybersecurity operation is functioning?

One of the hardest aspects of such a strategy would be determining what a ‘good’ cybersecurity operation looks like.

“How to demonstrate this may vary by organization – for some it would be relevant to show ISO 27001 compliance, whereas for others the standard might be simply to meet Cyber Essentials,” says Steven Furnell, professor of IT security at Plymouth University.

However, as Andy Boura, senior information security architect at Thomson Reuters suggests, box-ticking exercises may not be deemed enough to ensure that a real security culture has been created within the organization.

“The real challenge to implement something like this isn’t the spirit of it, but the practice of it; how on earth would you measure creating an effective security culture?”

You’re Not Alone

It could be argued that the CEO shouldn’t hold all of the responsibility; particularly as organizations should have a dedicated senior IT security professional such as a CISO or CIO.

Capital One Europe CIO Rob Harding believes that the CEO and the board need to take a keen interest in security, in addition to the whole management team.

“It definitely needs everyone’s input or everyone’s vigilance so I wouldn’t see it as purely a CEO thing,” he states.

Boura adds that as it’s the board’s role to hold the executives to account and to ensure the risk tolerance of the shareholders is represented, it could be feasible to link the pay packets of those individuals to the welfare of the company’s IT security function, but this could lead to a blame culture automatically being instilled into the organization – something which Weinberg strongly opposed.

CEOs could try to exonerate themselves from blame by advocating higher security budgets to CISOs and CIOs in order to deal with the issue.

“Making a link to the CEO's pocket is certainly relevant, because it may increase the level of interest in security. Indeed, without the CEO’s buy-in, we could find the CISO being hand-tied due to a lack of wider support and investment, and then facing a personal penalty when the effect of not heeding their advice comes to pass,” says Furnell.

Nonetheless, while throwing money at cybersecurity may increase the pressure on CISOs and CIOs to ensure security breaches don’t occur, it doesn’t mean that a company is automatically safe from being stung by a cyber-attack.

“Cybersecurity isn’t something that can be solved purely with money; so linking it to a pay conversation could potentially drive the wrong behavior,” says Harding.

He suggests that many of his CIO peers have been given “infinite amounts of money” to spend on cybersecurity, but believes there is only so much money that can be spent before other risks start to become more prominent.

One of the risks of a blank cheque policy could be that employees feel overly conscious of every tool they use, thereby inhibiting their productivity.

“If you target the pay of C-level executives on data security, the behavior you will incentivize is an incredibly high-level of investment and scrutiny around security,” says Camden Council interim CIO Omid Shiraji.

“There has to be a security-usability balance – and although there may be some industries where it makes sense to incentivize that behavior, I think you get yourself into some tricky territory,” Shiraji adds.

Money Can’t Buy Perfect Security

There will come a time when every company’s perimeter is breached by a cyber-attack.

“The reality is you can invest as much money as you want but you cannot stop a data breach if you’re being targeted,” says Shiraji. Although some may disagree with that statement, there are areas which are outside of the control of a CEO, CIO or CISO.

“You can make all sorts of investments in perimeter defenses, but then you have an insider threat to worry about – so you can certainly invest to mitigate risks in places, but there are other places where your pockets aren’t deep enough to mitigate all threats,” Harding argues.

“Linking pay to security is a very blunt instrument; the main thing is investing in getting your board and your CEO up to speed with what the threats are in your business and industry, what you’re doing about them, what you could do more and explaining which risks just cannot be mitigated regardless of spend,” Harding adds.

So it may be unrealistic to hold C-level executives to a target of zero breaches or incidents, but if there are aspects that are the result of negligence, such as a lack of patching, then someone could be held accountable.

“So a good target would be a combination of being audited as security-compliant (implying that controls are in place and security is actively promoted to staff), and then avoiding preventable breaches,” says Furnell. However, the issue here is that even external organizations work on the basis of trust, and could be misled into thinking a company is secure, even if it isn’t. In which case, a bonus could still be paid to a company, if all it is required to do is be approved as security compliant.

Herein lies the issue: an organization well-equipped in cybersecurity may still be a victim of a cyber-attack, while another firm which is not, may never suffer from a data breach. The CEO of the former may not get paid their bonus, while the latter receives theirs in full. This is why it would be essential to have goals that are attainable for individual firms and personnel.

While the process of implementing wide-sweeping contractual changes would raise the profile and appreciation of cybersecurity in organizations, if such changes were to take place, the key would be to ensure scrutiny on security personnel doesn’t go overboard, that expectations are realistic, and most importantly, that there remains accountability with a no-blame culture.

The Legal View
Mark O’Halloran, partner at law firm Coffin Mew, explains that the idea that MPs have conjured up is a performance-related bonus scheme, but unlike most schemes, it refers to negative measurements.

“The immediate legal challenge for a company thinking of incorporating this kind of scheme [for all IT security employees] into its pay structure is whether its existing bonus scheme is contractual or discretionary, assuming it has one at all,” he says.

The discretionary bonus scheme can usually be more easily varied by the employer than contractual schemes. If the scheme is contractual, it is likely that it can only be varied with the employee’s consent, unless the company undertakes a formal re-organization of its IT department.

“While some contracts of employment include ‘flexibility clauses’ allowing the employer to vary some terms simply by giving notice, it is unlikely that kind of clause would allow the employer to make unilateral changes to contractual pay,” says O’Halloran.

For C-level executives, the only difference is that it is more likely that the details will be negotiated with the executive directly.

Employees could refuse a variation of a contract if it affected their existing pay entitlement, in which case the employer may consider dismissing them and offering to re-engage on the varied contract. However, this could constitute an unfair dismissal of any employee who has more than two years’ continuous service if the change cannot be justified by reference to an ‘economic, technical or organizational reason’.

So what would happen if this kind of contract was in place for all security employees within an organization which was hit by a data breach? Would employees be able to appeal that they weren’t to blame for the breach and therefore receive their bonus pay?

“That depends on whether the bonus is tied to individual contributions to cybersecurity or overall performance of the security team, or a mix of both,” says O’Halloran.

“Provided the operation of the bonus scheme is non-discriminatory, and the measurements by which it is paid or not paid are objective, there is no general reason why any particular employee would have an automatic right to appeal a decision not to pay a team-wide bonus,” he adds.

The best approach, according to O’Halloran, from a legal and employee-incentive point of view, is to have a mixed bonus: part paid where the individual employee has personally met clear security objectives in their particular role, and part paid on a team-wide basis based on overall results.