Many of us within the information security and cyber security industry have been calling for organizations to hold their top leaders (CISO’s, CSO’s, CFO’s, CEO’s) accountable when a major security breach occurs at the organizations they lead.
Accountability could be anywhere from a loss in stock compensation, loss of year-end bonus, to loss of job, or even jail time depending on the severity of the breach and how impactful the breach was to our nation and or the world.
Therefore, when news broke yesterday that Marissa Mayer, CEO of Yahoo lost her 2016 bonus and stock award after a board investigation of the 2014 cyber breach that resulted in the loss of information to over 1 billion million user accounts; I was personally conflicted.
Being a cyber security leader, business security leader, and a president of a non-profit (#securediversity.org) focused on empowering women and men in the cyber security industry focused on disrupting three cyber security industry statistics:
- 10% of the cyber security workforce is women
- 1% of the cyber community are women leaders
- 53% of women end up leaving the industry
I have always felt that accountability for security breaches must be shared within the C-suite AND the boardroom.
On one hand, the top business executive (CEO) in a fortune 1000 (Yahoo #513) is being held fiscally accountable for a major security breach – we should be applauding the move by Yahoo’s board. On the other hand, CEO fiscal accountablility for security breaches at an organization they are responsiblible form doesn’t appear to be the normal information security / cyber security industry practice.
Therefore is the fiscal accountability decision (loss of bonus and stock award) by Yahoo’s board a sign that the industry will hold EVERY CEO (female or male) fiscally accountable for security breaches at their firm OR will this become another reason why women are underrepresented in cyber security leadership positions and why women leave the cyber security and information security industry?
Kyle F. Kennedy