{"id":1412,"date":"2025-01-06T09:00:00","date_gmt":"2025-01-06T09:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=1412"},"modified":"2025-01-06T09:00:00","modified_gmt":"2025-01-06T09:00:00","slug":"personal-liability-sours-70-of-cisos-on-their-role","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=1412","title":{"rendered":"Personal liability sours 70% of CISOs on their role"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

With legal accountability tightening around those charged with maintaining enterprise cybersecurity, security leaders appear to be increasingly frustrated with their roles, eyeing the exit<\/a>, and hesitant to pursue CISO gigs in the future.\u00a0<\/p>\n

More than two thirds (70%) of CISOs recently surveyed said that \u201cstories of CISOs being held personally liable for cybersecurity incidents has negatively affected their opinion of the role,\u201d according to a survey by ransomware prevention vendor BlackFog<\/a>.<\/p>\n

Thus far, only a handful of CISOs punishments have been widely publicized, including cases involving Uber<\/a> and SolarWinds<\/a>. But reports of frustration among CISOs not being allowed to truly manage cybersecurity decisions are quite common<\/a> \u2014 and are only expected to rise<\/a>.\u00a0<\/p>\n

Security leaders\u2019 frustration is not solely about new requirements such as the SEC\u2019s breach disclosure rules<\/a> \u2014 which can put CISOs in a Catch-22 bind<\/a>. It is also about how those requirements might play out against CISOs who were repeatedly overruled on measures to protect the company. If the enterprise won\u2019t do what the CISO says needs done, why should the CISO take the fall?\u00a0<\/p>\n

Security specialists advise these execs to negotiate for additional protections, including making the role a corporate officer, guaranteeing company payment of insurance policies, and substantial exit clauses if they are fired.<\/p>\n

Still, concerns are rising in the CISO community over the issue of responsibility versus authority.<\/p>\n

According to the BlackFog survey, while 41% of respondents said \u201cthe trend of cybersecurity leaders facing increased scrutiny and the potential of personal liability has made the Board take cybersecurity more seriously,\u201d \u201conly 10% of all respondents stated that this has resulted in additional money devoted to cybersecurity,\u201d BlackFog analysts found.<\/p>\n

\u201cWhat it is is taxation with limited representation, where CISOs are being held accountable for a series of security controls, but the decisions are actually being made by committee,\u201d said Fritz Jean-Louis, a principal cybersecurity advisor at Info-Tech Research Group and former CISO of The Globe and Mail. \u201cThey are being told that they are in charge of cybersecurity, but the reality is different. They have responsibility without actual power. They are influencing without direct responsibility.\u201d<\/p>\n

Security exec exodus?<\/h2>\n

Jeff Pollard, VP and principal analyst at Forrester, is already seeing signs of top CISO talent opting out of the role.\u00a0<\/p>\n

\u201cThe CISO role was already thankless prior to these changes. And plenty of vendors exist out there that will gladly add a former operating CISO to their teams as an evangelist, thought leader, or even line of business leader. And those jobs are often better compensated than a traditional CISO role,\u201d Pollard said. \u201cMore upside and far less downside makes shifting to vendorland an easy decision for most CISOs.\u201d<\/p>\n

Andy Lunsford, CEO of cybersecurity vendor BreachRx, expects the supply of experienced security leaders to fall unless boards start delivering meaningful protections to CISOs \u2014 or give them full authority to make and enforce security decisions.\u00a0<\/p>\n

\u201cCEOs are going to be coming under fire from the SEC and different regulators. And the CISO isn\u2019t going to be holding the bag forever,\u201d Lunsford said. \u201cThere is still a lack of supply of experienced talented CISOs out there.\u201d<\/p>\n

Lunsford also sees a more immediate problem associated with the CISO disconnect between responsibilities and authority.\u00a0<\/p>\n

\u201cThe personal liability stakes are forcing CISOs to be more deliberate and measured with their decision-making. We have heard from many CISOs that they are more intentionally documenting decision-making of their own and that of senior leadership when it comes to making risk-based decisions,\u201d Lunsford said. \u201cOn the surface, that may sound completely positive, but it has an impact of slowing decision-making and adding administrative burden when carried out manually without technology that automatically records their work and decision-making.\u201d<\/p>\n

Negotiating protections<\/h2>\n

Ultimately, whether CEOs provide CISOs with protections may be a factor of talent market dynamics. In the meantime, veteran security leader Jim Routh, who has held CISO-level roles at Mass Mutual, CVS, Aetna, KPMG, American Express, and JP Morgan Chase, counsels CISOs and prospective CISOs to push for key contractual protections.<\/p>\n

\u201cSeverance needs to be triggered by any change in reporting\u201d structure, said Routh, who today serves as chief trust officer at security vendor Saviynt. CISOs \u201cneed the protection.\u201d<\/p>\n

Other key elements, Routh said, are insurance protections and ensuring the enterprise pays any necessary fees from an independent attorney \u2014 one not beholden to the enterprise\u2019s interests. CISO contracts should also deliver full indemnification, meaning that the enterprise will pay for any judgments, penalties, fines, or compensation directly related to the CISO\u2019s official duties, Routh said.<\/p>\n

For example, insurance company Crum & Forster in November rolled out professional liability insurance explicitly designed for CISOs<\/a>.\u00a0<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

With legal accountability tightening around those charged with maintaining enterprise cybersecurity, security leaders appear to be increasingly frustrated with their roles, eyeing the exit, and hesitant to pursue CISO gigs in the future.\u00a0 More than two thirds (70%) of CISOs recently surveyed said that \u201cstories of CISOs being held personally liable for cybersecurity incidents has […]<\/p>\n","protected":false},"author":0,"featured_media":1413,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1412","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1412"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1412"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1412\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/1413"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1412"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1412"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1412"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}