CISOs need to consider the personal risks associated with their role

December 16, 2024

One of the growing trends in cybersecurity enforcement in the past few years is for Chief Information Security Officers to be held personally liable for cybersecurity incidents, and to face prosecution if the incident is not properly handled. In many ways, this is a positive change. It does require boards to take cybersecurity more seriously, and bad CISOs who intentionally withhold information and endanger their customers or the public can be held to account. However, while the fear of prosecution can certainly act as a motivator for CISOs, it also certainly acts as a stressor. A recent survey conducted by BlackFog on CISOs and other IT security decision makers in the US and UK captured the feelings on the issue in both directions, and it is enlightening to examine the results.

The positives of the policy are generally understood: 49% of polled CISOs agreed that the potential for an individual to be prosecuted following a cyberattack would improve accountability and transparency for cyber professionals. A further 41% agreed that the trend of cybersecurity leaders facing increased scrutiny and the potential of personal liability has made the Board take cybersecurity more seriously. However, this scrutiny does not always lead to additional results, since only 10% of all respondents stated that this has resulted in additional money devoted to cybersecurity.

What is especially concerning is that 70% of respondents agreed that stories of CISOs being held personally liable for cybersecurity incidents has negatively affected their opinion of the role, and that 34% agreed that the trend of individuals being prosecuted following a cyberattack was a ‘no-win’ situation for security leaders: facing internal consequences if they report failings and prosecuted if they don’t. It is clear that this is a major pressure point for the position, since 15% of respondents agreed that it would be deterrent for IT professionals to become CISOs. This may be consistent with other suggestions that the CISO position be divided into multiple positions in order to cope with its growing responsibilities. The level of responsibility created by this personal liability will hopefully be a motivator for both CISOs and the boards they serve to address short-term problems quickly and affect long-term reforms to be able to handle the responsibility.

More from Blackwired

September 10, 2025

Stealthy attack serves poisoned web pages only to AI agents

New AI browser attack targets agents via hidden prompts, exploiting unique agent fingerprints to deliver invisible malicious code.

Read more
September 3, 2025

First AI-Powered Ransomware Created Using OpenAI's gpt-oss:20b Model

PromptLock is an AI-powered ransomware PoC using LLMs to generate dynamic, hard-to-detect, cross-platform attacks.

Read more
August 27, 2025

Chinese Hackers Silk Typhoon Escalate Cloud and Telecom Espionage

Silk Typhoon targets cloud via zero-days, supply chains, and trusted ties; monitor edge, patch fast to detect and defend.

Read more

© 2024 Blackwired. All Rights Reserved.