Most, 93 per cent of organizations have made policy changes over the last 12 months to address concerns about increased personal liability for CISOs (chief information security officers). This includes two in five (41pc) increasing CISO participation in strategic decisions at the board level, according to a study for a cloud platform provider.
In late 2023, newly adopted regulations such as the SEC rules in the United States on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies, and headlines of cyber breaches, have put a focus on corporate accountability for data breaches, and raising an increased concern of CISO liability, according to Fastly. To reduce this risk, some 38 per cent of the research respondents have promised โincreased scrutiny of security disclosure documentation from supervisory agenciesโ while 38pc have improved legal support for cybersecurity staff, including liability insurance, and corporations have allocated more resources to security in the past year.
Fastly CISO, Marshall Erwin says: โItโs encouraging to see the vast majority of companies making changes to liability disclosure given the inevitability of another worldwide outage that will put CISO accountability back into the spotlight. However, while investing in legal protection is an important step, this change is often more about shielding organizations from legal risk rather than fostering meaningful accountability to drive better security practices.
โProper accountability requires moving beyond liability insurance and disclosure edits. For meaningful change, we need to view accountability as a positive force to incentivize better security. For that, we need better, clearer standards from regulators and enforcers that distinguish between unavoidable incidents and avoidable ones resulting from truly deficient security practices.โ
Shared responsibility
The study also found that nearly half (46pc) of organizations are unclear about who holds ultimate responsibility for cybersecurity incidents while only 36pc have clearly delineated roles and responsibilities within their teams. Marshall Erwin added, โCISOs do not make the final call on every decision. When it comes to security risks, the question a board should be asking is, โAre we aligning the budget to address the risks the CISO has communicated to us?โ This is where accountability should start – at the senior leadership level, with clear communication and alignment of resources.โ
