Public sector executive pay should be linked to cybersecurity

Written by James Wickes on 27 February 2018 in Opinion

James Wickes of Cloudview believes regulators need to take steps to sharpen senior managers’ focus on cybersecurity

Cybersecurity is constantly in the headlines for all the wrong reasons. 

Earlier this month, we heard that all 200 UK NHS Trusts that have been assessed so far failed to meet the standards of the government-backed Cyber Essentials Plus scheme. Some of them even failed on patching, which was the vulnerability that led to the WannaCry ransomware attack. They clearly haven’t learned the lessons from an event which caused massive disruption across the health service, with operations postponed and appointments cancelled.

You would think that, if public sector organisations can’t even manage basic security hygiene such as patching, there would be consequences for those running them. However, while the forthcoming GDPR is bringing in new requirements for the protection of personal data, the large fines (€20m or 4% of global revenue) for a privacy breach will apply to the organisations concerned and will not affect their leaders. 

After the TalkTalk cyberattack, its then chief executive Dido Harding may have had her cash bonus halved, from £432,000 to £220,000, but she was still paid a total of £2.81M in 2015, despite the personal and financial details of tens of thousands of customers disappearing into the ether. The attack cost TalkTalk £60m and 101,000 customers.

Related content

The public sector holds even more personal information, from our tax details to our medical records. However, public sector leaders will simply blame a lack of resources for not being able to implement effective security standards, and the problem will become a political football rather than a security issue. Meanwhile, nothing will change, and both our data and the services we rely on will remain at risk.

There have been some suggestions that penalties for a cyber breach should apply to executives too. After investigating the massive cyberattack on TalkTalk, the select committee on Media, Culture and Sport recommended that a portion of CEO compensation should be linked to effective cybersecurity. This would have implications for anyone who leads an enterprise and has legal responsibility for its behaviour – be it private or public, big or small. 

They then made another recommendation which has even more serious implications, saying: “We concur with the ICO that, whilst the implementation of the EU GDPR will help focus attention on data protection, it would be useful to have a full range of sanctions, including custodial sentences.” 

So, if these recommendations were to become law, executives could lose money if they were judged not to have ensured the necessary cybersecurity – and could even go to jail. 

Despite this, 18 months later we have seen no sign of these recommendations becoming law, and security breaches continue to occur with alarming regularity.

In my view hitting public sector executives hard in their pocket may be the only way to make them take cybersecurity seriously. Their job is all about balancing risk and reward. For whatever reason, they appear to be choosing not to take the risk of a cyberattack seriously, and are focusing their attention and budgets on other issues. 

In the private sector, at least customers can vote with their feet and take their business elsewhere, potentially affecting an organisation’s bottom line. However, where public sector services are concerned we have no choice. Each service, from council tax to health, is a monopoly. So, we have to rely on regulators to protect us. 

It is about time that they woke up and hit those running our public services in the only place they will feel it – their pockets.

About the author

James Wickes is CEO and co-founder of Cloudview

Share this page




Please login to post a comment or register for a free account.

Related Articles

Online safety: How police, public sector and tech firms have reached a data-sharing stalemate
21 May 2021

With the Online Safety Bill now published, former police superintendent Iain Donnelly writes for PublicTechnology on the challenges that need to be overcome in order to ensure the law’s...

Vaccine passports pose discrimination and data protection risks, MPs find
17 June 2021

PACAC claims that government has not made a convincing case for introducing a certification scheme domestically

Related Sponsored Articles

Social justice: how the police can embrace online channels of citizen communication
17 June 2021

PublicTechnology talks to Salesforce about why police forces need to adopt new omnichannel capabilities, offer the public channel choice and the benefits of doing so

"The inflection point is here": how Covid is driving digital transformation in health
9 June 2021

It’s been one of the most challenging years for healthcare providers, but Salesforce sees lasting change from accelerated digital transformation

The largest ever UK public sector cloud transformation unlocks cost savings and innovation
17 May 2021

Cloud-based applications can provide ways for agencies and departments to innovate and operate in new ways, as the past year has highlighted they must, writes Oracle