Do CEOs and Boards have any idea what the company’s cybersecurity status is?

Cybersecurity and privacy compliance should be a top priority of the Board of Directors and senior management of any publicly traded company, right? Not so fast, kemo sabe. The problem is, everyone thinks that their problems, their issues, their topics should be a top priority of the Board of Directors.

Certain equity fund shareholders of Verizon Communications proposed a resolution that the Verizon Board of Directors publish a report assessing the feasibility of integrating cybersecurity and data privacy performance measures into the Verizon executive compensation program which it describes in its annual proxy materials.

In other words, the performance of the company with respect to privacy and data security should be an express part of the compensation of Verizon executives.

Pay for cybersecurity and privacy performance

In support of the resolution, the equity fund noted that in September 2017, the Co-Director of the SEC’s Enforcement Division announced the creation of a Cyber Unit stating “Cyber-related threats and misconduct are among the greatest risks facing investors and the securities industry” and that “in February 2018, in issuing guidance for preparing disclosures about cybersecurity risks and incidents, [SEC] Chairman Clayton emphasized ‘cybersecurity is critical to the operations of companies and our markets.’”

The outside shareholders also observed that “In the United Kingdom, a Parliamentary committee studying cyber security recommended: ‘To ensure this issue receives sufficient CEO attention before a crisis strikes, a portion of CEO compensation should be linked to effective cyber security, in a way to be decided by the Board.’”

So what does the Verizon Board think of the idea of linking executive compensation to security and privacy performance and metrics? Not very much. Sure, we’d LOVE to do it, but you see, there’s really no way to MEASURE security or privacy performance. I mean, GENTLEMEN, GENTLEMEN, we’ve got to keep our phony baloney jobs! Of course, that’s not what they say in their SEC filing. Technically, what they say is:

“…the Board does not think that adding cybersecurity and data privacy targets into Verizon’s executive compensation program would have the presumed effect of preventing a network or data security breach because there is not necessarily a correlation between an executive’s actions and the prevention of cyber or data security incidents. For example, a company’s networks and information systems may be infiltrated by a malicious state actor even though an executive has taken all reasonable precautions and allocated substantial resources to protective technologies, security and privacy protocols and employee training.  

Moreover, the Board does not view cybersecurity and data privacy performance measures as analogous to the adjusted EPS, free cash flow, total revenue, and diversity and carbon abatement performance metrics that Verizon uses in its short-term incentive awards. While there are mathematical and/or scientifically accepted methodologies for quantifying such metrics and assessing a company’s performance in those areas from period to period, at this time there is no general accepted methodology for measuring ‘success’ in the area of cybersecurity and data privacy.”

Let me translate from lawyerspeak to English.

Even if management and the Board do everything reasonable to protect data, we could still have a data breach, and then we wouldn’t get our bonuses even if it’s not our fault. Besides, there’s no way to really “measure” cybersecurity performance or privacy compliance anyway. It’s not like things like revenue or EPS (whatever that is) or “carbon abatement” for which there are actual scientifically acceptable metrics. Why cybersecurity and privacy are a free-for-all. How could you expect anyone to have any idea how we are doing, and worse — base my compensation on how we are doing? Are you nuts?

Full disclosure here. I used to work as the Security Evangelist for Verizon Communications. And I don’t mean to pick on Verizon here — the problem of security metrics in endemic. While it’s not wrong to say that there is “no generally accepted methodology for measuring success” in the areas of cybersecurity and data privacy, there are lots of very good metrics for measuring whether a company is doing what it needs to do to take “reasonable steps” to protect data entrusted to it. That doesn’t mean that there won’t be a breach. All entities will remain vulnerable to zero-day attacks and sophisticated attacks particularly by state actors. Executive compensation should not be based on whether there’s a data breach or not. That’s a silly (but highly measurable) metric. A company can have abysmal security and never have a reportable breach (or never notice one). It could get lucky. Also, focusing on “breaches” in general and reportable breaches focuses Board and Management attention to a small portion of the overall risk portfolio. And it ignores companies that deliberately misuse personal or privacy related information, or that make unclear and ambiguous statements about privacy policies. While the metrics are by no means universal — and they are not linked to “success” – they are well established and are linked to risk and appropriate risk avoidance, mitigation, and insurance. For example, a non-profit  entity to which I am also associated (again full disclosure) the Digital Risk Management Institute uses metrics to assess cybersecurity and privacy (and compliance) risk, and recommend remediation based on risk, vulnerability, impact, cost and related factors.

The Verizon statement is faulty for another reason. It disassociates management and Board responsibility from both process and outcome. Nobody says the Board and Management should not get their bonus if there’s a cybersecurity incident which could not have been reasonably prevented or ameliorated. But if the incident or its impact could have been prevented, someone has to pay. And the Verizon statement essentially says, “nope — not me.”

I remember the apocryphal story of a security company that was developing secure software for the DoD. Remember that the word “apocryphal” means “made up” but even if not true, it’s a useful story. The company paid employees a $5,000 cash bonus for every security vulnerability they either reported or abated. Cash on the barrel. No questions asked. Well, a few questions, actually. They later changed the program to say you could not get a bonus for a vulnerability you created. Or your friend created. And this applied to not just code, but process. Like failing to challenge visitors. Or lock doors. Or shred documents. And it applied to everyone — engineers, coders, sure — but also secretaries, janitors, clerks and interns. After several months the head of product was called into the head of HR who complained that nobody was doing their jobs — they were spending all their time (or a substantial portion of it) looking for vulnerabilities and nobody was doing their jobs. The head of product just smiled. What they had done — without metrics — was to prioritize and incentivize security and build a culture of security throughout the organization. It made people actively search for problems, and suggest ways to fix them, rather than just aiming to “comply” with some standard.

Management obviously doesn’t control outcomes. But management needs to create the culture for privacy and security and that comes from the top. Look, management is compensated for a company’s profitability, even if that profitability was for some reason outside their control, or the lack of profitability is beyond their control. There are many metrics to use to measure a company’s cybersecurity risk profile. And its privacy compliance. We need to use them and incentivize the Board and management to do the right thing. Because if they do good security, they make money.