In theory today the top management of a company is incentivized based on the company’s success. As I said, in theory as it seems that the top management is incentivized heavily even if the company fails but that’s another story.
In the UK Parliament it seems that they are discussing about linking the bonus/salary of CEOs to the company’s ability to defend against cyber-attacks (CEO salaries should be linked to their firm’s cyber security, says UK parliament). This is actually an interesting approach, I think. It would at least raise awareness significantly, where this is still an issue. We have seen significant impact on CEO’s jobs after some attacks but binding it constantly to the payment is interesting. The real question behind this would be, how to measure security fairly to make it possible to calculate the maturity. I guess politicians would then come up with the notion of no successful attack but I would not be in favor of such an approach for different reasons:
- The company might just have been lucky.
- The company might not have realized that they were successfully compromised.
- There might be an incentive for the company not to share incident information with other private companies as it might have an impact on the bonus of the CEO
But in general, the approach could help to drive the necessary budgets