CISOs are feeling the pressure over stories of their peers being held personally liable for cybersecurity incidents.
In the most notorious example, the US Securities and Exchange Commission (SEC) last year announced that it was filing charges against both SolarWinds and its CISO, Tim Brown, amid allegations of "fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities".
While Brown beat the charges earlier this year, others haven’t been quite as lucky.
Uber CSO Joe Sullivan, for example, was given a three-year probation sentence and a $50,000 fine for covering up a 2016 data breach. And CISOs fear such charges could potentially be filed against them.
Seven-in-ten told security firm BlackFog in a new survey that incidents like this had negatively affected their opinion of the job. Around a third said the trend was a no-win situation for security leaders, leaving them facing internal consequences if they report failings and prosecuted if they don’t.
"The role of the CISO is all about managing risk for the organization but, as regulations tighten, security leaders increasingly need to consider their own personal risk," said BlackFog founder and CEO Dr Darren Williams.
Increased accountability has, at least, led to internal changes to improve cybersecurity practices within their organisation. Nearly half (44%) of respondents said their company had already put processes in place to reduce their cyber exposure as a result.
Nearly half of all respondents believe that the potential for an individual to be prosecuted following a cyber attack would improve accountability and transparency amongst cyber professionals.
This was higher for respondents in the US, at 55%, compared with those in the UK at 43%.
When asked about the impact on the cybersecurity leaders of the future, only 15% believed that it would be a deterrent for IT professionals to become CISOs.
Meanwhile, four-in-ten said the increased scrutiny and potential of personal liability has made the board take cybersecurity more seriously. This was higher in the UK, with 47% of security leaders agreeing, compared with just 35% in the US.
RELATED WHITEPAPER
This has yet to translate into more resources, though, with just 10% of all respondents saying such concerns had translated to any rise in security budget.
"High profile instances of individuals being charged will no doubt add to the pressures they feel but could also be a catalyst for boards to support their leaders," said Williams.
"Improvements to governance, clear lines of reporting and incident response procedures are vital, but this must be supported by allocated resources so that security leaders can implement the security measures they need."
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
CISOs are gaining more influence in the boardroom, and it’s about timeNews CISO influence in the C-suite and boardrooms is growing, new research shows, as enterprises focus heavily on cybersecurity capabilities.
-
SOC modernization and the role of XDRWhitepaper Automate security processes to deliver efficiencies across IT
-
Crackdown on crypto needed to curb cyber crime, says expertNews Threat actors would struggle to generate money without the anonymity provided by unregulated digital tokens, but such a move would require worldwide buy-in
-
State of ransomware readiness 2022Whitepaper Reducing the personal and business cost
-
The board's evolving perceptions of cyber riskWhitepaper Behind the screens
-
Cyber insurance costs fall in 2023 despite steep rise in ransomware attacksNews Premiums drop from historic highs as insurers eye a ransomware resurgence
-
Security consolidation is about improving results, not just cost savingsIndustry Insight Channel partners can play a key role in enabling businesses to consolidate security operations and bolster resilience
-
Teaching good cyber security behaviors with SeinfeldWhitepaper Overcoming the employee engagement challenge in security awareness training
