Companies are addressing the elephant in the room around the growing anxiety many CISOs feel over their sense of liability in the event of a cybersecurity incident.
A new Fastly report that surveyed 1,800 IT leaders found that close to half of the queried decision-makers (41%) are making their CISO more involved in strategic decisions at the board level to address concerns around CISO liability. Other changes across organizations include increased legal support for security staffers (38%), additional scrutiny of security disclosure documents from supervisory agencies (38%), and reminding CISOs that they are in fact, “not above the law” (21%).
In total, 93% of organizations surveyed reported making some form of policy change to address liability concerns from CISOs.
Perfect timing. The changes come at a time where personal liability continues to keep the C-suite executives on edge after two high-profile leaders faced legal repercussions over their individual liability in security-related events. In 2023, SolarWinds and its CISO Tim Brown were slapped with SEC charges for misrepresenting its cybersecurity practices to investors and customers. The charges have since been largely dismissed. The year before that, Uber CSO Joe Sullivan was convicted for covering up a data breach in 2016.
Thomas Bentz, Jr., partner at Holland & Knight, told IT Brew that high-profile cases can heighten the pressure for CISOs, who are already juggling a demanding role.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
“We’re talking about a wide range of companies. You’ve got mom-and-pops and then you’ve got Fortune 50 companies,” Bentz said. “They have very vastly different resources and vastly different needs. So, to try and put a one-size-fits-all requirement on them can be really tough.”
Bentz added that there are not clear expectations of what the fall guy’s responsibility is.
CISO stamp of approval? So, how do CISOs feel about the changes happening across the industry? Rubrik CISO Michael Mestrovich told IT Brew that additional legal support is handy.
“I do think the more CISOs that are covered with [directors and officers] insurance, the better,” he said.
John Heasman, CISO at Proof, an identity-assured transaction management platform, opined that additional scrutiny of security disclosures is a “step in the right direction” if it goes beyond a “box-ticking exercise.”
Heasman said in his ideal world, he would ultimately want the industry to “streamline” compliance regulations to have a larger focus on decreasing risks and explore the idea of who is responsible for security incidents more.
“The CISO may not, as the saying goes, have a seat at the table, and yet is sort of deemed responsible for cybersecurity failings,” Heasman said. “So, I think we definitely need to stop scapegoating CISOs and security teams.”