Increased Risks of CISO Liability Trigger Policy Adjustments in 93% of Businesses
In a rapidly evolving digital world, the roles and responsibilities within cybersecurity are undergoing significant changes, with a growing emphasis on personal accountability. This shift is particularly noticeable in the US, where regulators are increasingly focusing on personal liability for cybersecurity incidents.
Recent events highlight this trend. In October 2023, the US Securities and Exchange Commission (SEC) charged SolarWinds and its Chief Information Security Officer (CISO), Tim Brown, for allegedly downplaying or failing to disclose cyber-risks while overstating the firm's security practices. Similarly, FTX, another organisation, and its CISO, Sam Bankman-Fried, were charged by the SEC in the same month. These incidents underscore the potential consequences for CISOs if their organisations fail to meet the required standards.
The EU's NIS2 directive also includes provisions for CISOs to face personal liability if their organisation fails to comply with the directive's cybersecurity standards.
This shift towards personal accountability is reflected in the day-to-day operations of organisations. According to a research survey of 1800 IT decision makers in large organisations across various regions, nearly all (93%) organisations have introduced policy changes over the past 12 months to address rising CISO personal liability risks.
The survey also revealed a rise in accountability across teams outside of cybersecurity. Security engineers are the second most commonly cited (19%), followed by application developers (10%), platform engineers (8%), and site reliability engineers (7%). However, the report by Telstra International and Omdia on February 24 highlighted a lack of consistency and clarity around who is responsible for securing IT/OT environments.
Interestingly, only 20% of respondents identified CISOs as having the responsibility to secure IT/OT environments, followed by Chief Risk Officers (14%) and Chief Technology Officer (13%). The CISO is cited as responsible for incidents by 14% of respondents, while security managers are most commonly cited as the type of leader responsible for incidents (21%).
Despite this, there is a growing trend for CISOs to participate more in strategic decisions at the board level. 41% of organisations have increased CISO participation in strategic decisions, reflecting a growing recognition of the strategic importance of cybersecurity.
However, there is still a lack of clarity over who is responsible for cybersecurity incidents in organisations. 46% of respondents feel there is a lack of clarity, with Marshall Erwin, CISO at Fastly, stating that these efforts to address liability disclosure are often driven by shielding organisations from legal risk rather than fostering meaningful accountability to drive better security practices.
In response to these challenges, organisations are taking steps to improve legal support for cybersecurity staff. The same proportion of organisations have also improved legal support, including buying liability insurance.
This shift towards personal accountability and the growing focus on CISO liability is a response to a broader trend by regulators towards holding individuals accountable for cybersecurity incidents. The case of the former Uber CISO Joe Sullivan, who was convicted on federal charges relating to the cover up of the theft of Uber drivers' and customers' personal information from 2016, is a stark reminder of this trend.
In conclusion, the landscape of cybersecurity responsibilities and liability is changing, with a growing emphasis on personal accountability. Organisations are responding to this trend by introducing policy changes, improving legal support for cybersecurity staff, and increasing CISO participation in strategic decisions. However, there is still a need for clarity and consistency around who is responsible for securing IT/OT environments and handling cybersecurity incidents.
Read also:
- Maximizing Business Agility and Efficiency through Hybrid Cloud: Unveiling the Advantages
- Shaping production and consumption tendencies via cosmetic certification
- Increased Investment in AI, Machine Learning, Internet of Things, and Quantum Computing to Propel Growth in the Digital Economy (2020 Budget)
- Deteriorated residence designed for trainees
