CISOs need to consider the personal risks associated with their role

December 16, 2024

One of the growing trends in cybersecurity enforcement in the past few years is for Chief Information Security Officers to be held personally liable for cybersecurity incidents, and to face prosecution if the incident is not properly handled. In many ways, this is a positive change. It does require boards to take cybersecurity more seriously, and bad CISOs who intentionally withhold information and endanger their customers or the public can be held to account. However, while the fear of prosecution can certainly act as a motivator for CISOs, it also certainly acts as a stressor. A recent survey conducted by BlackFog on CISOs and other IT security decision makers in the US and UK captured the feelings on the issue in both directions, and it is enlightening to examine the results.

The positives of the policy are generally understood: 49% of polled CISOs agreed that the potential for an individual to be prosecuted following a cyberattack would improve accountability and transparency for cyber professionals. A further 41% agreed that the trend of cybersecurity leaders facing increased scrutiny and the potential of personal liability has made the Board take cybersecurity more seriously. However, this scrutiny does not always lead to additional results, since only 10% of all respondents stated that this has resulted in additional money devoted to cybersecurity.

What is especially concerning is that 70% of respondents agreed that stories of CISOs being held personally liable for cybersecurity incidents has negatively affected their opinion of the role, and that 34% agreed that the trend of individuals being prosecuted following a cyberattack was a ‘no-win’ situation for security leaders: facing internal consequences if they report failings and prosecuted if they don’t. It is clear that this is a major pressure point for the position, since 15% of respondents agreed that it would be deterrent for IT professionals to become CISOs. This may be consistent with other suggestions that the CISO position be divided into multiple positions in order to cope with its growing responsibilities. The level of responsibility created by this personal liability will hopefully be a motivator for both CISOs and the boards they serve to address short-term problems quickly and affect long-term reforms to be able to handle the responsibility.

More from Blackwired

December 9, 2024

The Shocking Speed of AWS Key Exploitation

AWS keys exposed online are exploited in minutes, highlighting the need for faster detection and response to prevent breaches.

Read more
December 2, 2024

Advanced Cyberthreats Targeting Holiday Shoppers

The holiday season sees increased e-commerce scams, with AI-driven phishing, fake sites, and data theft targeting consumers and businesses.

Read more
November 25, 2024

Middle East Cybersecurity in 2024: From Zero-Day Exploits to Supply Chain Attacks

In 2024, the Middle East faces rising cyberattacks, with governments and infrastructure targeted; regional cybersecurity efforts grow.

Read more

© 2024 Blackwired. All Rights Reserved.