It isn’t absolutely everything, it’s for negligence. If you don’t have basics in place, like independent pen-tests, ISO 27001 audits — or some equivalent — when you’re handling clinical data, then that’s negligence.
If a breach happens and you were seen to have followed best practice, you won’t be found criminally negligent.
That is part of being an executive. The buck stops with you — if you’re an executive, you’d better understand your obligations, you get the big bucks for a reason, it isn’t just a fancy job title.
Other people in the organisation can be held accountable for criminal acts, but when it comes to criminal negligence, it’s the executives that are liable, because it’s a systemic failure and you’re deemed to be in-charge of the system.
>if you’re an executive [...] you get the big bucks for a reason
In Finland? Notably wage-compressed Finland?
No comment on the specifics of this case, I agree with you that the executive should be where the buck stops. But you would be surprised how many various execs I have met here over the years who admit behind closed doors they really do treat it as a fancy job title that barely pays above their last position, but comes with 3x the stress, and they do it simply because, well, someone has to. You can't really be surprised that most of the folks here who you might want to be in the C-suite decide it's just not worth it, that remaining a middle manager or even an IC is simply a far better value proposition.
Posting anonymously here. I was on the leadership team of a Nordic public company, reporting to the CEO, presenting to the board and representing the company at the AGM. Total comp a little under $200k.
The compensation really didn’t match what you take on in terms of responsibility and legal liability. The stress was significant too. That said, as you point out, the work needs doing.
Recommended if you have an over-active sense of duty, not otherwise.
But this is not “absolutely everything”. No one is saying CEOs should be accountable for every action of an individual employee.
So if not the CEO, who is accountable when something like this breach happens? The CTO? The PM The DBA? Nobody? Maybe they’ll care developer who wrote the code or botched the configuration should be prosecuted?
CEOs can justify their pay be being accountable for what their company does. They’re the CEO, after all. Maybe they’ll care more when they have some actual skin in the game.
When a bridge fails, it is the professional engineer that signed off on that part. If you want someone to sign off on software or IT you will need to pay them quite a lot.
Yes, I would expect compensation to increase proportionally with accountability. What makes no sense is compensation that increases irrespective of accountability.
Being the CEO of a company that handles risky, sensitive things should be risky for the CEO, personally. And their compensation can reflect that.
> “absolutely everything”
It isn’t absolutely everything, it’s for negligence. If you don’t have basics in place, like independent pen-tests, ISO 27001 audits — or some equivalent — when you’re handling clinical data, then that’s negligence.
If a breach happens and you were seen to have followed best practice, you won’t be found criminally negligent.
That is part of being an executive. The buck stops with you — if you’re an executive, you’d better understand your obligations, you get the big bucks for a reason, it isn’t just a fancy job title.
Other people in the organisation can be held accountable for criminal acts, but when it comes to criminal negligence, it’s the executives that are liable, because it’s a systemic failure and you’re deemed to be in-charge of the system.
>if you’re an executive [...] you get the big bucks for a reason
In Finland? Notably wage-compressed Finland?
No comment on the specifics of this case, I agree with you that the executive should be where the buck stops. But you would be surprised how many various execs I have met here over the years who admit behind closed doors they really do treat it as a fancy job title that barely pays above their last position, but comes with 3x the stress, and they do it simply because, well, someone has to. You can't really be surprised that most of the folks here who you might want to be in the C-suite decide it's just not worth it, that remaining a middle manager or even an IC is simply a far better value proposition.
Posting anonymously here. I was on the leadership team of a Nordic public company, reporting to the CEO, presenting to the board and representing the company at the AGM. Total comp a little under $200k.
The compensation really didn’t match what you take on in terms of responsibility and legal liability. The stress was significant too. That said, as you point out, the work needs doing.
Recommended if you have an over-active sense of duty, not otherwise.
> In Finland? Notably wage-compressed Finland?
It's all relative.
But this is not “absolutely everything”. No one is saying CEOs should be accountable for every action of an individual employee.
So if not the CEO, who is accountable when something like this breach happens? The CTO? The PM The DBA? Nobody? Maybe they’ll care developer who wrote the code or botched the configuration should be prosecuted?
CEOs can justify their pay be being accountable for what their company does. They’re the CEO, after all. Maybe they’ll care more when they have some actual skin in the game.
When a bridge fails, it is the professional engineer that signed off on that part. If you want someone to sign off on software or IT you will need to pay them quite a lot.
In my experience civil engineers get paid less than software developers of equivalent experience or responsibility.
Yes, I would expect compensation to increase proportionally with accountability. What makes no sense is compensation that increases irrespective of accountability.
Being the CEO of a company that handles risky, sensitive things should be risky for the CEO, personally. And their compensation can reflect that.
2 replies →
Is it sane to reward them for almost absolutely everything that goes right? Because that's the status quo for this position.
Privatize the gains and socialize the losses. egh?
The CEO is responsible for ensuring that there is a routine for security.
If that is not created -> CEO responsibility.
If that is not followed -> top level mgmt responsibility.
And so on, further down the chain.
Well this is why they get paid so much isn't it? Because they carry the responsibility.
So who?
It's normally the company directors that are personally liable.