CEOs' Pay Should Be Cut If Firms Fail To Protect Against Hacks

HardOCP News

[H] News
Joined
Dec 31, 1969
Messages
0
Hah! Could you imagine if companies around the world had to do this? You can bet security would be taken a whole lot more seriously if fines against the company came out of the CEO's pay. :D

A new UK parliamentary report recommends that businesses face escalating fines for cybersecurity breaches, with the biggest penalties reserved for firms that succumb to "plain vanilla" intrusions, such as the SQL attack on telco TalkTalk. The heaviest penalties should be levied against companies that experience "continued vulnerabilities and repeated attacks", the report from the UK's Culture, Media and Sport Committee notes.
 
Sounds like the UK government is trying to find a new revenue stream.

If these fines and fees were directed towards identify monitoring of affected users, I would support this revenue stream...if I were in the UK of course. But since everyone's screaming 'wasteful spending!', nothing will ever be done.
 
And what happens if the government gets hacked? Do the tax payers get reimbursed?
 
CEOs' Pay Should Be Cut*

I agree, I think we could probably come up at least with a list of 10 things that should cut CEO's pay or Bonuses.

And what happens if the government gets hacked? Do the tax payers get reimbursed?

hey hey hey, let's not get crazy here. If it wasn't for double standards, most govts wouldn't have any
 
That should actually be the CTO's paycut that is lowered unless he can prove the CEO over-ruled his security decisions and budget.

More like the CISO. But we're splitting hairs. Most hacks result from end users being incredibly stupid and clicking the link they shouldn't be clicking on.

You can teach an ignorant person, but you can't fix stupid.
 
More like the CISO. But we're splitting hairs. Most hacks result from end users being incredibly stupid and clicking the link they shouldn't be clicking on.

You can teach an ignorant person, but you can't fix stupid.

Agreed. How can you stop someone from clicking on that pretty kitty pic or email. Even smart people fall for some of the more clever stuff now days.
 
Agreed. How can you stop someone from clicking on that pretty kitty pic or email. Even smart people fall for some of the more clever stuff now days.
Just for shits and giggles, I clicked on the link about "my" PayPal getting deactivated and they've included Luhn checks for valid credit card data. I found that to be quite impressive. They're going very far to make things look authentic as possible.
 
Many companies already face fines for this when it effects end users. It generally comes in the form of a class action lawsuit. Sony has been hit with that a few times now for their total lack of proper layered security.
 
It's not a question of *if* a company will get hacked or compromised, it is a question of *when*. Honestly, there is no preventing something like this. Obviously companies could do a great deal to improve their security. but a dedicated attacker will always find a way.
 
They'd just stop reporting breaches.

30% of a company's payroll going to .001% of the workforce won't change this way.

I believe when the breach affects PII they are legally obligated to report it, if nothing else to the end users affected. However, if you privately notified half a million users about a data breach, it would look exceedingly bad if you did not publically report it as well.
 
Executive leadership compensation should be adjusted based on the results of their policies? LOL no. Those job creators work hard. We just need to accept that they always deserve a performance bonus.
 
What I'd prefer to see is some standardized security testing that companies need to routinely go through...just like how a restaurant has to maintain certain cleanliness and food preparation standards, and is assigned a rating based on that. Companies should be subjected to some penetration testing, given a report card, and if that report card is anything less then an "A", be given a certain amount of time to improve that, then be tested again.

With data these days, we have to assume their is an element of risk at tall times, but there should also be a responsibility of corporations to protect and prevent as much of that risk as is humanly possible.
 
Executive leadership compensation should be adjusted based on the results of their policies? LOL no. Those job creators work hard. We just need to accept that they always deserve a performance bonus.

I think what you don't realize is many of these policies have nothing to do with the CEO. Is he ultimately responsible? Yes, but generally someone else f'd up and now the CEO has to fix it by firing the person and finding a better person to fill that role. There is no way a CEO can write and oversee every single policy in a big company. That is why the company should get the fine and not the CEO directly. How well the company does in a year almost always directly affects the CEO, but the CEO shouldn't be held directly responsible for everything the company does, then you are just making a scapegoat out of a person and not really affecting the company as a whole. The company screwed up, they should pay the piper, of which the CEO should feel some of the hit from that
 
What I'd prefer to see is some standardized security testing that companies need to routinely go through...just like how a restaurant has to maintain certain cleanliness and food preparation standards, and is assigned a rating based on that. Companies should be subjected to some penetration testing, given a report card, and if that report card is anything less then an "A", be given a certain amount of time to improve that, then be tested again.

With data these days, we have to assume their is an element of risk at tall times, but there should also be a responsibility of corporations to protect and prevent as much of that risk as is humanly possible.

They do. PCI-DSS, FISMA, SSAE16, ISO27001.
 
The President and Congress should all have their pay cut if they fail to protect the US against aggressors as well.
 
Salary wise they get paid very little, yeah they get their cash from other things at least congressmen, but President I don' think can take any money till he is out of office.
 
They do. PCI-DSS, FISMA, SSAE16, ISO27001.

Okay, that's cool...for the testing results, is there a website that aggregates the results from that testing and assigns scores? I know I could Google it, but if you already have the info, I'd appreciate it.
 
I'm pretty sure CEOs get huge bonuses and crazy paychecks even if they drive a company into the ground, why would cybersecurity suddenly be a factor?
 
If the CEO is willing to accept this as part of his/her contract then I see no problem with it. They'd be stupid to do that but they could.
 
Okay, that's cool...for the testing results, is there a website that aggregates the results from that testing and assigns scores? I know I could Google it, but if you already have the info, I'd appreciate it.


There isn't. This is usually a compliance check that conducted by an external security vendor. When a company does business with another company and it requires sharing critical data, then those types of documents are shared and usually kept locked up with an NDA. The SSAE 16 report is usually provided to financial institutions and required before conducting any business with them.

However, compliance does not mean a company is secure.
 
And what happens if the government gets hacked? Do the tax payers get reimbursed?

Well I can say that you get free credit monitoring for a couple of years out of it. Beyond that, not much else.


.....................unless you think you can use it as a "get out of jail free" card .......................
 
Back
Top