Making it contractually worthwhile for executives to prioritise cyber security is likely toĀ have long-term benefits.
Following major cyber attacks, some large organisations around the world have started attaching cyber-security assurance metrics to their executivesā short-term incentive plans (STIPs).
According to Fortinetās 2024 Cybersecurity Skills Gap Report, approximately 50% of local companies each experienced around four cyber attacks in the last year alone, so should South African entities follow the same trend?
Larger organisations in the US, including several Fortune 100 companies, have incorporated cyber-security goals into the calculation of executivesā short-term incentives. While weāre not seeing this trend in South Africa yet, given the alarming growth in cyber crime, similar practices should be adopted urgently, and remuneration committees and reward professionals need to stay abreast of these trends.
With cyber attacks escalating worldwide, so too have incidents of enterprises being caught completely off guard by them. Such breaches may result in massive data losses, possibly costing millions in lost revenue and potential fines to data regulators and other third parties.
Crucially, senior executives are at risk of facing fines, jail time or loss of employment following a cyber attack.
Cyber security has become an undeniable strategic imperative that should reflect in executive rewards as dedicated KPIs.
Create a culture
Cyber-security-linked KPIs should be proactive in nature and not punitive. Rather than relying on reactive measures like penalties for breaches, a more effective approach is to proactively incentivise executives to focus on implementing robust security strategies and ensuring this mindset is cascaded through the entire organisation.
Imposing penalties after a breach is less effective than providing incentives that encourage executives to prioritise organic systemwide protection in the first place.
Executives who maximise system resilience, develop rapid response protocols, prioritise data privacy and protection, assure business continuity and, most importantly, foster a cyber-security-driven culture and awareness across all functions in their enterprise are less likely to be breached and will be able to pivot quicker in instances where a breach requires mitigation.
Those executives who will only be punished financially after an attack that might never happen will typically focus their attention on pressing concerns that impact the business ā and their rewards ā right now.
Responsibility also canāt just be left to the CEO and CIO, but organisations must enlist other key players such as the Chief People Officer and Chief Financial Officer. Reinforcing a security mindset requires buy-in from all levels of leadership.
Board members and remuneration committees may lack the technical expertise to pinpoint specific cyber-security priorities, so itās essential they avoid setting vague or superficial goals for executive incentives. Performance should be both meaningful and impactful in terms of staving off disaster, and that demands input from one or more subject matter experts.
Text |Ā Carmen Arico
Photography |Ā VideoFlow
Carmen Arico is a Chartered Reward Specialist and spokesperson for the South African Reward Association (SARA).
For more information, go toĀ sara.co.za.
