- SolarWinds buys Squadcast to speed incident response
- Once uBlock Origin stops working on Chrome, you have 2 options
- I tested every Lenovo laptop released at MWC - and these are the very best
- VMware ESXi gets critical patches for in-the-wild virtual machine escape attack
- The 3 biggest opportunities you'll regret ignoring in 2025
CISO Liability Risks Spur Policy Changes at 93% of Organizations
Nearly all (93%) organizations have introduced policy changes over the past 12 months to address rising CISO personal liability risks, according to new research by cloud service provider Fastly.
This includes 41% of organizations increasing CISO participation in strategic decisions at the board level.
Additionally, 38% of respondents promised “increased scrutiny of security disclosure documentation from supervisory agencies.”
The same proportion have also improved legal support for cybersecurity staff, including buying liability insurance.
These policy changes are in response to a shift by regulators towards personal liability for cybersecurity incidents, particularly in the US.
Notable cases include the conviction of former Uber CISO Joe Sullivan in 2022 on federal charges relating to the cover up of the theft of Uber drivers’ and customers’ personal information from 2016.
In October 2023, the US Securities and Exchange Commission (SEC) charged SolarWinds and its CISO Tim Brown for allegedly deliberately downplaying or failing to disclose cyber-risks while overstating the firm’s security practices. Most of the charges were subsequently dismissed, although claims of securities fraud were sustained.
Need for Clearer Regulatory Standards
Recent global cybersecurity legislation, including the EU’s NIS2 directive, also include provisions for CISOs to face personal liability if their organization fails to meet the required standards.
Marshall Erwin, CISO at Fastly, said that while it is encouraging to see the vast majority of companies making changes to liability disclosure, these efforts are often driven by shielding organizations from legal risk rather than fostering meaningful accountability to drive better security practices.
“Proper accountability requires moving beyond liability insurance and disclosure edits. For meaningful change, we need to view accountability as a positive force to incentivize better security. For that, we need better, clearer standards from regulators and enforcers that distinguish between unavoidable incidents and avoidable ones resulting from truly deficient security practices,” Erwin commented.
The research surveyed 1800 IT decision makers in large organizations across North, Central and South America, Europe, Asia-Pacific and Japan.
Watch Infosecurity Magazine’s recent Cyber Resilient CISO Virtual Summit, which includes a session on CISO personal liability protection by Jessica Nall, Partner, Baker & McKenzie LLP.
Lack of Accountability for Security Incidents
The study found that 46% of respondents feel there is a lack of clarity over who is responsible for cybersecurity incidents in organizations.
Security managers were most commonly cited as the type of leader responsible for incidents (21%). This was followed by security engineers (19%) and the CISO (14%).
Additionally, just 36% of respondents clearly identified roles and responsibilities for cybersecurity.
There was also a rise in accountability across teams outside of cybersecurity, including application developers (10%), platform engineers (8%) and site reliability engineers (7%). Fastly said this suggests that responsibility for cybersecurity incidents is no longer siloed within security-specific roles.
A report by Telstra International and Omdia on February 24 highlighted a lack of consistency and clarity around who is responsible for securing IT/OT environments. Just 20% identified CISOs as having this responsibility, followed by Chief Risk Officers (14%) and Chief Technology Officer (13%).
