CISO Liability Concerns Drive Organizational Changes

The growing anxiety among CISOs (Chief Information Security Officers) over their personal liability in the event of a cybersecurity incident is prompting organizations to rethink how they support their cybersecurity leaders. A recent Fastly report surveyed 1,800 IT leaders and found that 93% of organizations have made policy changes to address CISO liability concerns. These changes come at a critical time, as high-profile cases like those involving SolarWinds CISO Tim Brown and former Uber CSO Joe Sullivan have highlighted the legal risks faced by cybersecurity executives.

Key Organizational Changes:

Increased CISO Involvement in Strategic Decisions:
41% of organizations are now involving CISOs more in board-level strategic decisions. This shift not only elevates the role of the CISO but also ensures that cybersecurity considerations are integrated into the overall business strategy. As John Heasman, CISO at Proof, noted, CISOs often lack a “seat at the table” yet are held responsible for cybersecurity failings. Elevating their role helps address this imbalance.

Enhanced Legal Support for Security Teams:
38% of organizations are providing increased legal support to their security staff. This is crucial in helping CISOs navigate the complex legal landscape surrounding cybersecurity incidents. Michael Mestrovich, CISO at Rubrik, emphasized the importance of this support, stating that it helps CISOs manage their growing liability risks.

Scrutiny of Security Disclosure Documents:
Another 38% of organizations are subjecting security disclosure documents to additional scrutiny. This reflects a growing awareness of the importance of transparency and accuracy in communicating cybersecurity risks to stakeholders. Heasman described this as a “step in the right direction,” provided it goes beyond a “box-ticking exercise.”

Reminding CISOs of Legal Accountability:
21% of organizations are reminding CISOs that they are “not above the law.” While this may seem like a cautionary measure, it underscores the need for CISOs to operate within legal and regulatory frameworks.

Industry Leaders Weigh In:

Michael Mestrovich (CISO, Rubrik): Mestrovich highlighted the importance of additional legal support for CISOs and suggested that more CISOs should be covered by directors and officers (D&O) insurance. “I do think the more CISOs that are covered with D&O insurance, the better,” he said.

John Heasman (CISO, Proof): Heasman advocated for streamlining compliance regulations to focus more on risk reduction and clarifying responsibility for security incidents. “We definitely need to stop scapegoating CISOs and security teams,” he emphasized.

Despite these positive steps, challenges remain. Bentz, an industry expert, pointed out that organizations vary widely in resources and needs, from small “mom-and-pop” businesses to Fortune 50 companies. Imposing uniform regulatory requirements on such a diverse landscape can be difficult. Additionally, the lack of clear expectations regarding CISO responsibility contributes to the growing anxiety among cybersecurity leaders.

The industry is taking meaningful steps to address CISO liability concerns, from elevating their role in strategic decisions to providing enhanced legal support. However, the broader challenge of balancing accountability with support and avoiding scapegoating remains. As organizations continue to adapt, the focus must be on creating a fair and supportive environment for CISOs, ensuring they have the resources and authority needed to protect their organizations from cyber threats.

For more insights, read the full Fastly report and stay tuned to IT Legal Insights for updates on cybersecurity and legal trends.