June 11, 2024
Cyber Metrics: Shared Versus Individual Goals
Microsoft is the latest high-profile company to announce that it plans to base some of its senior management’s compensation on cybersecurity “plans and milestones.” I previously blogged about media reports that this practice is “inching up” among the biggest U.S. companies, but the media coverage may be overselling the use and utility of these metrics.
As consumers, we might like to hear that companies are putting their money where their mouth is and taking security — including of our data — seriously, but the panelists on our recent “The Top Compensation Consultants Speak” webcast noted that cyber metrics may not make sense as a shared goal. Here’s more commentary from Blair Jones of Semler Brossy during the webcast:
There was some literature and discussion in the press earlier this year that some companies might be adopting cybersecurity metrics and that cybersecurity might gain more prevalence as a metric. We haven’t seen that trend happening. Looking at the S&P 100, about 13% of companies have a metric like that. Clearly, cybersecurity is a huge issue for all companies, but there are many reasons we have seen its prevalence remain pretty low.
One is that while the whole organization needs to be vigilant, cybersecurity policy and systems are managed by a smaller group of people. Those individuals might have specific goals in their individual goals related to cybersecurity, but we don’t frequently see cybersecurity as a shared goal across the whole population. Where we do see cybersecurity goals showing up is in industries where you might expect, like some of the payment companies where cyber is a huge threat, and a huge part of their reputation is being a safe marketplace.
So we might see companies that find themselves in similar situations to Microsoft look to these goals to emphasize their security commitment, but for now, they otherwise make the most sense as individual goals for certain employees.
– Meredith Ervine