author photo
By Bruce Sussman
Fri | Mar 8, 2019 | 7:24 AM PST

It was one of our most widely shared stories of 2019, and it really touched a nerve among security leaders.

The Walt Disney Corporation's Board of Directors was asking its shareholders to vote no on a stockholder proposal about cybersecurity and privacy.

And on March 7, 2019, that's exactly what they did.

Just 26% of Disney stockholders voted to approve the measure; the rest were no votes cast by shareholders or by the board—or by default. 

You can read the details in our story, but in a nutshell, the proposal asked the board to look at the idea of linking all senior executive compensation to additional data security and privacy metrics.

The proposal sparked disagreement among our own readers, as they commented on SecureWorld's website and social media.

Are privacy and security core functions for senior executives?

Ping Identity’s Chief Customer Information Officer, Richard Bird, said the board's view against the measure was out of touch:

"Hackers are motivated by money. Security solutions providers are run on money. Company performance is measured in money. Suggesting that information security performance shouldn't be about money is... illogical. Impacting decision makers in their wallets will result in substantial, effective and rapid change."

And Bob Lord, Chief Security Officer of the Democratic National Party, added this comment when he retweeted the story:

"Incentives are everything, especially in security and privacy."

However, @RHamptonCISSP saw this as a shareholder activist issue which companies should prepare for:

"Whether you call them 'corporate gadflies' or 'shareholder activists,' CISOs and CROs maybe you should start noodling how to proactively brief your Board so they are prepared if shareholders propose something similar for your company."

And cybersecurity attorney Shawn Tuma of Spencer Fane LLP told us he had mixed feelings about the measure:

"While I like the idea that people are "getting" the importance of cyber risk and paying the kind of attention to it that it deserves, on every level, I'm just not sure this is an appropriate way to do it. Taking all of this into account and then recognizing that a Board's duty is one of oversight and they have to weigh all of the risks of a company, not just the ones that are the risks du jour, I don't really know that it would be appropriate to start saying some risks need to be addressed with specific measures such as this while others do not."

But John Sherwood argued that to incentivize senior executives for cybersecurity and privacy performance actually is, for Disney, recognizing a core function:

"Disney is a digital entertainment company. Its products are digital in their nature. These are direct quotes from the front page of the Disney web site:

'The mission of The Walt Disney Company is to be one of the world’s leading producers and providers of entertainment and information.'

'Disney’s leadership team manages the world’s largest media company and are the visionaries behind some of the most respected and beloved brands around the globe. Their strategic direction for The Walt Disney Company focuses on generating the best creative content possible, fostering innovation and utilizing the latest technology, while expanding into new markets around the world."

I think that tells us that cybersecurity and information security are core business activities for Disney. What if their next big entertainment product is stolen? Who's fault will that be?"

Now the vote is done and the proposal was defeated. But the issues it raised will continue to be debated when business or cybersecurity leaders come together.

Comments