CISOs need to consider the personal risks associated with their role

December 16, 2024

One of the growing trends in cybersecurity enforcement in the past few years is for Chief Information Security Officers to be held personally liable for cybersecurity incidents, and to face prosecution if the incident is not properly handled. In many ways, this is a positive change. It does require boards to take cybersecurity more seriously, and bad CISOs who intentionally withhold information and endanger their customers or the public can be held to account. However, while the fear of prosecution can certainly act as a motivator for CISOs, it also certainly acts as a stressor. A recent survey conducted by BlackFog on CISOs and other IT security decision makers in the US and UK captured the feelings on the issue in both directions, and it is enlightening to examine the results.

The positives of the policy are generally understood: 49% of polled CISOs agreed that the potential for an individual to be prosecuted following a cyberattack would improve accountability and transparency for cyber professionals. A further 41% agreed that the trend of cybersecurity leaders facing increased scrutiny and the potential of personal liability has made the Board take cybersecurity more seriously. However, this scrutiny does not always lead to additional results, since only 10% of all respondents stated that this has resulted in additional money devoted to cybersecurity.

What is especially concerning is that 70% of respondents agreed that stories of CISOs being held personally liable for cybersecurity incidents has negatively affected their opinion of the role, and that 34% agreed that the trend of individuals being prosecuted following a cyberattack was a ‘no-win’ situation for security leaders: facing internal consequences if they report failings and prosecuted if they don’t. It is clear that this is a major pressure point for the position, since 15% of respondents agreed that it would be deterrent for IT professionals to become CISOs. This may be consistent with other suggestions that the CISO position be divided into multiple positions in order to cope with its growing responsibilities. The level of responsibility created by this personal liability will hopefully be a motivator for both CISOs and the boards they serve to address short-term problems quickly and affect long-term reforms to be able to handle the responsibility.

More from Blackwired

July 2, 2025

SquareX: Browser AI Agents Are The Weakest Link

Browser AI agents pose major security risks, often falling for phishing and OAuth attacks due to lack of built-in safeguards.

Read more
June 25, 2025

US Homeland Security warns of escalating Iranian cyberattack risks

US-Iran conflict escalates; DHS warns of rising cyber, terror threats from Iran, allies, and hacktivists targeting US infrastructure.

Read more
June 18, 2025

CISA Issues Comprehensive Guide to Safeguard Network Edge Devices

New global guidance urges stronger edge device security to counter rising zero-day threats—focus on logging, MFA, and hardening.

Read more

© 2024 Blackwired. All Rights Reserved.