Are CEOs Judged Not to Have Ensured Necessary Cybersecurity? The New Reality

When a major cyber-attack hits, the spotlight often falls on the chief executive. But a recent report from the UK’s Culture, Media and Sport Committee suggests that CEOs cybersecurity compensation could soon be directly tied to how well they protect their organisations. This is no longer just an IT issue—it’s a boardroom liability.

The investigation, triggered by the October 2015 cyber-attack on TalkTalk, has delivered two stark recommendations that every enterprise leader should understand. Whether you run a small business or a multinational, the message is clear: ignore cybersecurity at your peril.

Linking CEO Pay to Cybersecurity Performance

The committee’s report, published on 17 June, proposes a radical shift in executive accountability. It suggests that a portion of CEO compensation should be linked to effective cybersecurity. In the committee’s own words: “To ensure this issue [cybersecurity] receives sufficient CEO attention before a crisis strikes, a portion of CEO compensation should be linked to effective cybersecurity, in a way to be decided by the Board.”

This recommendation alone is a wake-up call for many leaders. Remuneration committees will now have to grapple with how to measure cybersecurity effectiveness. Lawyers, too, can expect a new stream of work as they help define what constitutes “effective” protection.

How Will Boards Measure Cybersecurity?

Implementing this will not be straightforward. Boards will need to establish clear metrics—perhaps based on incident response times, employee training completion rates, or vulnerability patching schedules. The key is to move beyond vague promises and create tangible targets that align with business risk.

GDPR and the Threat of Custodial Sentences

Even more alarming for executives is the second recommendation. The committee concurs with the Information Commissioner’s Office (ICO) that, while the EU General Data Protection Regulation (GDPR), effective from 2018, will sharpen focus on data protection, a full range of sanctions—including custodial sentences—would be beneficial.

This means that enterprise executives could not only lose money if they are judged not to have ensured the necessary cybersecurity, but they may also face imprisonment. The prospect of jail time for data breaches is a dramatic escalation that demands immediate attention.

The Growing Cyber-Crime Threat

Some may view these recommendations as extreme. However, the report highlights that cyber-crime is a mounting risk for businesses of all sizes. According to the Federation of Small Businesses (FSB), a third of their members have experienced cyber-crime. Meanwhile, a 2015 survey by PwC for the Department for Business, Innovation and Skills found that 90% of large organisations had suffered a security breach.

Executives constantly balance risk and reward. Many have previously assumed that cyber-attack risks are negligible, relegating cybersecurity to the bottom of the business agenda. The committee’s novel approach aims to change that calculus by tying personal financial and legal consequences to cybersecurity outcomes.

ICO’s Expanded Audit Powers

Another critical development is the call for the ICO to gain additional non-consensual audit powers, particularly in health, local government, and potentially other sectors. Currently, the ICO has limited ability to inspect systems without consent. If this changes, regulators could knock on your door to verify compliance with security standards.

Businesses already accept that HMRC may inspect accounts to ensure tax and VAT payments are correct. A similar regime for cybersecurity would mean keeping your digital house in order at all times. The committee’s report states: “At present, the ICO has limited powers of non-consensual audit… the ICO should have additional powers of non-consensual audit.”

What This Means for CEOs Today

The TalkTalk incident involved the theft of customer records, including bank account details. Tens of thousands of individuals had their personal information compromised. In response, diligent CEOs—mindful of their income and liberty—are now asking searching questions about IT security. They are also listening with renewed sympathy to their CIO’s pleas for increased cybersecurity budgets.

As a result, the message is clear: cybersecurity is no longer just a technical concern. It is a core governance issue that affects compensation, legal liability, and even personal freedom. CEOs who fail to act may find themselves judged not only by the market but also by the courts.

For more insights on how to protect your organisation, explore our guide on cybersecurity risk management strategies and GDPR compliance steps.

More Boards Are Interested in Cybersecurity, but Is Security Still an IT Department Job?

Cybersecurity is increasingly landing on the boardroom agenda. According to the latest Cyber Governance Health Check, 33% of boards have now clearly defined their appetite for cyber-risk — an 18% increase since 2014. However, this cybersecurity board interest doesn’t always translate into consistent oversight. On average, only 54% of boards discuss cybersecurity twice a year, or only after a breach occurs. This raises a pressing question: is security still just a job for IT?

The Growing Gap Between Board Interest and Action

While large enterprises dominate headlines after major data breaches, small and medium-sized enterprises (SMEs) are far from safe. The latest Government Security Breaches Survey reveals that 74% of SMEs experienced a security breach in the past year. Cyber-criminals are specifically targeting smaller businesses, viewing them as easier prey.

Encouragingly, more directors and senior leaders are registering for workshops focused on SME vulnerabilities and cybersecurity strategy development. Yet, many still view security as an IT department responsibility, not a business-critical priority requiring top-down leadership.

This mindset is dangerous. A successful cybersecurity strategy demands board buy-in to enforce policies across the organisation and foster a culture of awareness. IT departments can implement firewalls and anti-virus software, but employees remain the biggest threat. Without board sponsorship, technical solutions alone are insufficient.

Why Cybersecurity Belongs in the Boardroom

IT teams — whether internal or outsourced — need a seat at the boardroom table. They require an understanding of how security integrates with business operations and strategy. Failing to address security at this level can be costly. Beyond the immediate expenses of rectifying a cyber-attack, organisations face regulatory fines (especially in regulated industries), client loss, and stiffer penalties under new EU data protection laws coming into effect in 2018.

Large enterprises might absorb these costs, but can SMEs? The financial and reputational damage can be devastating.

How to Secure Boardroom Buy-In for Cybersecurity

Educate on the Real Impact of Cyber-Attacks

The first step toward a robust cybersecurity policy is helping board members understand the true implications of an attack. For regulated industries, non-compliance is severe — both for the organisation and individual senior managers, who can no longer claim ignorance of security risks. Understanding how an attack impacts the business and its leaders often sharpens focus, though sadly this realisation frequently comes only after a breach occurs.

Identify Vulnerabilities and Empower IT Teams

Board members must also recognise where vulnerabilities lie. For SMEs, the most significant cyber-threat is their own staff. Employees inadvertently click on malware links or share passwords inappropriately, granting attackers access to sensitive systems. Fortunately, this risk can be mitigated without constant spending on new technology. Training and awareness exercises for all employees — including board members — ensure vigilance and proactive security behaviour. This only works, however, with board support that leads by example and embeds security into organisational culture.

Regular health checks, risk assessments, formal written cybersecurity policies, and business continuity plans are all essential components that directors should welcome in the boardroom. For more insights, explore our guide on cyber-risk management board strategy and SME cybersecurity best practices.

In conclusion, while cybersecurity board interest is growing, it must translate into consistent action. Security is not just an IT job — it is a boardroom imperative. Without top-level sponsorship, even the best technical defences will fall short.

Learn how to build a boardroom cybersecurity culture that protects your business from the top down.

OASIS Summer Event: Red Teaming, Scorecarding, and Endpoint Security

This week, the Ham Yard Hotel in London became the hub for cybersecurity thought leaders as the OASIS summer event unfolded. Industry experts gathered to dissect pressing topics, with a particular focus on endpoint security, Red Teaming strategies, and the growing importance of cybersecurity scorecards. The discussions offered actionable insights for organizations striving to stay ahead of evolving threats.

Red Teaming: Beyond Technical Vulnerabilities

Mark Nicholls, principal security consultant at Context, kicked off the presentations by exploring the nuances of Red Team testing. He emphasized that this approach evaluates the entire organization, not just its technology. “Red Team testing can mean different things to different people,” Nicholls explained. “Ultimately, we’re testing the whole business and processes—attacking systems, people, and workflows to triage issues by severity.”

However, he noted that Red Teams often uncover non-technical problems, such as inadequate phishing training. “Our approach balances depth versus breadth,” he added. “We target people, processes, and technology, assessing an organization’s ability to detect and respond to an attack.” This holistic perspective helps companies strengthen their defenses from all angles.

Building a Cybersecurity Scorecard: A Proactive Approach

Next, Chris Strand, senior director of compliance and governance at Carbon Black, addressed the challenge of measuring security posture amid shifting regulations. With GDPR enforcement looming in 2018, Strand argued that a cybersecurity scorecard is essential. “No matter your role—board member, CISO, or analyst—regulations affect you,” he said. “Every security incident triggers new policies or stricter standards.”

Strand outlined nine steps for creating an effective scorecard, from defining business objectives to reporting critical controls. “Scorecarding reduces liability and provides security assurance, not insurance,” he stressed. “Assurance is proactive; insurance is reactive.” This framework helps organizations present complex security data in a clear, actionable format.

Key Components of a Risk Scorecard

Strand’s nine-step process includes identifying stakeholders, applying a framework like NIST, and enforcing policies. By collecting data based on these policies, companies can report on critical security controls. This structured approach ensures that security efforts align with business goals and regulatory demands.

Endpoint Security: The Persistent Weakness

Adam Bridge, senior intrusion analyst at Context, closed the event with a sobering look at how breaches occur. He highlighted that most companies learn of compromises through third parties—such as banks or ransomware messages—rather than internal detection. Phishing attacks remain the top vector, followed by drive-by downloads and malvertising.

Bridge lamented that organizations still neglect endpoint security. “Defenders are improving, but things remain pretty bad,” he said. “Companies invest heavily in network perimeter defenses but forget the endpoint.” Relying solely on firewalls and antivirus leaves organizations vulnerable. “Endpoint protection complements other technologies; it doesn’t replace them,” Bridge concluded. Without it, businesses lack a critical layer of defense.

For more insights, explore our guide on cybersecurity strategies or learn about Red Teaming best practices.