IT Essentials: Curtain call for irresponsible cyber

With great pay comes great responsibility

IT Essentials: Curtain call for irresponsible cyber

Amateur dramatics gets right what companies have failed at for years.

I can't carry a tune, a fact that manifests as physical pain on my wife's face every time I sing "Happy Birthday." She, on the other hand, sings like a Disney princess, and once or twice a year takes part in a musical at our local theatre.

For this week's show I got involved behind the scenes, building and moving scenery, screwing together palm trees and trying to work out how to fit a set of bleachers, a bed and a car into an area the size of a London bedroom.

Backstage has a lot of personal responsibility: it's your job to make sure the actors have something to act against and no-one is brained by a falling stage weight (only welcomed at slapstick and very bad shows).

Why can amdram get this right, but executives overseeing cyber negligence walk away scot-free? Massive data breaches put people's privacy, and sometimes lives, at risk, while those ultimately responsible are often free to switch to another job like nothing's happened.

When you accept the pay of being a C-level security executive, or even a CEO, you should also have to accept that the buck stops with you. That hasn't been the case for too long.

This heady idealism is why I've been glad to see the landscape shifting over the last few years. The most well-known example is probably Uber's Joe Sullivan, who narrowly avoided jail time for his role in a massive 2016 data breach, but there have been others.

Now Microsoft is moving to formalise an arrangement of personal responsibility, tying executive compensation to security performance. We don't know how much of their pay will be sacrificed in the case of a cyber incident, but it's signals that Microsoft is taking security seriously.

How much do Computing's readers think executives should lose in the case of a breach? I'll put forward a nice round figure: 30%. That's how much of a company budget Vanta CISO Jadee Hanson is pushing to be spent on cyber, so it seems a good place to start.

Last week, I wrote about the need to change cyber's blame game. I haven't changed my tune; this isn't about blame, it's about understanding - to paraphrase Stan Lee - that with great pay comes great responsibility.

Appropriately, it's all about cybersecurity this week. First, two excellent articles from Penny Horwood looking at how to attract neurodivergent individuals to work in cyber, and an interview with GitHub's deputy CSO on how to level up security and kill off supply chain attacks.

We also have coverage of a fantastic session from last week's Cybersecurity Festival, where PIB Insurance CISO Jason Ozin explained four ways to save on cyber insurance.