CEOs' Pay Should Be Cut If Firms Fail To Protect Against Hacks

HardOCP News

[H] News
Joined
Dec 31, 1969
Messages
0
Hah! Could you imagine if companies around the world had to do this? You can bet security would be taken a whole lot more seriously if fines against the company came out of the CEO's pay. :D

A new UK parliamentary report recommends that businesses face escalating fines for cybersecurity breaches, with the biggest penalties reserved for firms that succumb to "plain vanilla" intrusions, such as the SQL attack on telco TalkTalk. The heaviest penalties should be levied against companies that experience "continued vulnerabilities and repeated attacks", the report from the UK's Culture, Media and Sport Committee notes.
 

jhymesba

n00b
Joined
Mar 17, 2016
Messages
30
Sounds like the UK government is trying to find a new revenue stream.

If these fines and fees were directed towards identify monitoring of affected users, I would support this revenue stream...if I were in the UK of course. But since everyone's screaming 'wasteful spending!', nothing will ever be done.
 

wgm3446

Gawd
Joined
May 8, 2007
Messages
858
And what happens if the government gets hacked? Do the tax payers get reimbursed?
 

Dalexx

Limp Gawd
Joined
Mar 22, 2014
Messages
160
CEOs' Pay Should Be Cut*

I agree, I think we could probably come up at least with a list of 10 things that should cut CEO's pay or Bonuses.

And what happens if the government gets hacked? Do the tax payers get reimbursed?

hey hey hey, let's not get crazy here. If it wasn't for double standards, most govts wouldn't have any
 

wgm3446

Gawd
Joined
May 8, 2007
Messages
858
That should actually be the CTO's paycut that is lowered unless he can prove the CEO over-ruled his security decisions and budget.

More like the CISO. But we're splitting hairs. Most hacks result from end users being incredibly stupid and clicking the link they shouldn't be clicking on.

You can teach an ignorant person, but you can't fix stupid.
 

Bowman15

[H]ard|Gawd
Joined
Apr 7, 2015
Messages
1,772
More like the CISO. But we're splitting hairs. Most hacks result from end users being incredibly stupid and clicking the link they shouldn't be clicking on.

You can teach an ignorant person, but you can't fix stupid.

Agreed. How can you stop someone from clicking on that pretty kitty pic or email. Even smart people fall for some of the more clever stuff now days.
 

wgm3446

Gawd
Joined
May 8, 2007
Messages
858
Agreed. How can you stop someone from clicking on that pretty kitty pic or email. Even smart people fall for some of the more clever stuff now days.
Just for shits and giggles, I clicked on the link about "my" PayPal getting deactivated and they've included Luhn checks for valid credit card data. I found that to be quite impressive. They're going very far to make things look authentic as possible.
 

NoOther

Supreme [H]ardness
Joined
May 14, 2008
Messages
6,468
Many companies already face fines for this when it effects end users. It generally comes in the form of a class action lawsuit. Sony has been hit with that a few times now for their total lack of proper layered security.
 

Dunnlang

Limp Gawd
Joined
Sep 6, 2012
Messages
200
It's not a question of *if* a company will get hacked or compromised, it is a question of *when*. Honestly, there is no preventing something like this. Obviously companies could do a great deal to improve their security. but a dedicated attacker will always find a way.
 

NoOther

Supreme [H]ardness
Joined
May 14, 2008
Messages
6,468
They'd just stop reporting breaches.

30% of a company's payroll going to .001% of the workforce won't change this way.

I believe when the breach affects PII they are legally obligated to report it, if nothing else to the end users affected. However, if you privately notified half a million users about a data breach, it would look exceedingly bad if you did not publically report it as well.
 

DeathFromBelow

Supreme [H]ardness
Joined
Jul 15, 2005
Messages
7,316
Executive leadership compensation should be adjusted based on the results of their policies? LOL no. Those job creators work hard. We just need to accept that they always deserve a performance bonus.
 

Konig-Wolf

Limp Gawd
Joined
Oct 4, 2009
Messages
217
What I'd prefer to see is some standardized security testing that companies need to routinely go through...just like how a restaurant has to maintain certain cleanliness and food preparation standards, and is assigned a rating based on that. Companies should be subjected to some penetration testing, given a report card, and if that report card is anything less then an "A", be given a certain amount of time to improve that, then be tested again.

With data these days, we have to assume their is an element of risk at tall times, but there should also be a responsibility of corporations to protect and prevent as much of that risk as is humanly possible.
 

NoOther

Supreme [H]ardness
Joined
May 14, 2008
Messages
6,468
Executive leadership compensation should be adjusted based on the results of their policies? LOL no. Those job creators work hard. We just need to accept that they always deserve a performance bonus.

I think what you don't realize is many of these policies have nothing to do with the CEO. Is he ultimately responsible? Yes, but generally someone else f'd up and now the CEO has to fix it by firing the person and finding a better person to fill that role. There is no way a CEO can write and oversee every single policy in a big company. That is why the company should get the fine and not the CEO directly. How well the company does in a year almost always directly affects the CEO, but the CEO shouldn't be held directly responsible for everything the company does, then you are just making a scapegoat out of a person and not really affecting the company as a whole. The company screwed up, they should pay the piper, of which the CEO should feel some of the hit from that
 

wgm3446

Gawd
Joined
May 8, 2007
Messages
858
What I'd prefer to see is some standardized security testing that companies need to routinely go through...just like how a restaurant has to maintain certain cleanliness and food preparation standards, and is assigned a rating based on that. Companies should be subjected to some penetration testing, given a report card, and if that report card is anything less then an "A", be given a certain amount of time to improve that, then be tested again.

With data these days, we have to assume their is an element of risk at tall times, but there should also be a responsibility of corporations to protect and prevent as much of that risk as is humanly possible.

They do. PCI-DSS, FISMA, SSAE16, ISO27001.
 

ManofGod

[H]F Junkie
Joined
Oct 4, 2007
Messages
12,512
The President and Congress should all have their pay cut if they fail to protect the US against aggressors as well.
 

razor1

[H]F Junkie
Joined
Jul 14, 2005
Messages
10,120
Salary wise they get paid very little, yeah they get their cash from other things at least congressmen, but President I don' think can take any money till he is out of office.
 

Konig-Wolf

Limp Gawd
Joined
Oct 4, 2009
Messages
217
They do. PCI-DSS, FISMA, SSAE16, ISO27001.

Okay, that's cool...for the testing results, is there a website that aggregates the results from that testing and assigns scores? I know I could Google it, but if you already have the info, I'd appreciate it.
 

KazeoHin

[H]F Junkie
Joined
Sep 7, 2011
Messages
8,396
I'm pretty sure CEOs get huge bonuses and crazy paychecks even if they drive a company into the ground, why would cybersecurity suddenly be a factor?
 

madcap magician

Limp Gawd
Joined
Mar 12, 2003
Messages
328
If the CEO is willing to accept this as part of his/her contract then I see no problem with it. They'd be stupid to do that but they could.
 

wgm3446

Gawd
Joined
May 8, 2007
Messages
858
Okay, that's cool...for the testing results, is there a website that aggregates the results from that testing and assigns scores? I know I could Google it, but if you already have the info, I'd appreciate it.


There isn't. This is usually a compliance check that conducted by an external security vendor. When a company does business with another company and it requires sharing critical data, then those types of documents are shared and usually kept locked up with an NDA. The SSAE 16 report is usually provided to financial institutions and required before conducting any business with them.

However, compliance does not mean a company is secure.
 

lcpiper

[H]F Junkie
Joined
Jul 16, 2008
Messages
10,611
And what happens if the government gets hacked? Do the tax payers get reimbursed?

Well I can say that you get free credit monitoring for a couple of years out of it. Beyond that, not much else.


.....................unless you think you can use it as a "get out of jail free" card .......................
 
Top