I doubt it would be of any use. Most companies underfinance IT and security, while CISO just writes “rules” on how things should be, instead of overseeing actual hardening.
CEOs on the other hand being financially or criminally responsible, may lead to something.
At least the EU NIS2 directive has the right idea about it
Companies should tie CISO contracts to ransomware payouts.
We’d instantly have better protection AND make it financially unviable for future attacks as the CISO’s would have to pay out from their own wages.
I doubt it would be of any use. Most companies underfinance IT and security, while CISO just writes “rules” on how things should be, instead of overseeing actual hardening.
CEOs on the other hand being financially or criminally responsible, may lead to something.
At least the EU NIS2 directive has the right idea about it