Threat of personal liability has CISOs sweating

CISOs are feeling the pressure over stories of their peers being held personally liable for cybersecurity incidents.

In the most notorious example, the US Securities and Exchange Commission (SEC) last year announced that it was filing charges against both SolarWinds and its CISO, Tim Brown, amid allegations of “fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities”.

While Brown beat the charges earlier this year, others haven’t been quite as lucky.

Uber CSO Joe Sullivan, for example, was given a three-year probation sentence and a $50,000 fine for covering up a 2016 data breach. And CISOs fear such charges could potentially be filed against them.

Seven-in-ten told security firm BlackFog in a new survey that incidents like this had negatively affected their opinion of the job. Around a third said the trend was a no-win situation for security leaders, leaving them facing internal consequences if they report failings and prosecuted if they don’t.

“The role of the CISO is all about managing risk for the organization but, as regulations tighten, security leaders increasingly need to consider their own personal risk,” said BlackFog founder and CEO Dr Darren Williams.

Increased accountability has, at least, led to internal changes to improve cybersecurity practices within their organisation. Nearly half (44%) of respondents said their company had already put processes in place to reduce their cyber exposure as a result.

Nearly half of all respondents believe that the potential for an individual to be prosecuted following a cyber attack would improve accountability and transparency amongst cyber professionals.

This was higher for respondents in the US, at 55%, compared with those in the UK at 43%.

When asked about the impact on the cybersecurity leaders of the future, only 15% believed that it would be a deterrent for IT professionals to become CISOs.

Meanwhile, four-in-ten said the increased scrutiny and potential of personal liability has made the board take cybersecurity more seriously. This was higher in the UK, with 47% of security leaders agreeing, compared with just 35% in the US.

This has yet to translate into more resources, though, with just 10% of all respondents saying such concerns had translated to any rise in security budget.

“High profile instances of individuals being charged will no doubt add to the pressures they feel but could also be a catalyst for boards to support their leaders,” said Williams.

“Improvements to governance, clear lines of reporting and incident response procedures are vital, but this must be supported by allocated resources so that security leaders can implement the security measures they need.”