With legal accountability tightening around those charged with maintaining enterprise cybersecurity, security leaders appear to be increasingly frustrated with their roles, eyeing the exit, and hesitant to pursue CISO gigs in the future. More than two thirds (70%) of CISOs recently surveyed said that “stories of CISOs being held personally liable for cybersecurity incidents has negatively affected their opinion of the role,” according to a survey by ransomware prevention vendor BlackFog.Thus far, only a handful of CISOs punishments have been widely publicized, including cases involving Uber and SolarWinds. But reports of frustration among CISOs not being allowed to truly manage cybersecurity decisions are quite common, and are only expected to rise. Security leaders’ frustration is not solely about new requirements such as the SEC’s breach disclosure rules, which can put CISOs in a Catch-22 bind. It is also about how those requirements might play out against CISOs who were repeatedly overruled on measures to protect the company. If the enterprise won’t do what the CISO says needs done, why should the CISO take the fall? Security specialists advise these execs to negotiate for additional protections, including making the role a corporate officer, guaranteeing company payment of insurance policies, and substantial exit clauses if they are fired.Still, concerns are rising in the CISO community over the issue of responsibility versus authority.According to the BlackFog survey, while 41% of respondents said “the trend of cybersecurity leaders facing increased scrutiny and the potential of personal liability has made the Board take cybersecurity more seriously,” “only 10% of all respondents stated that this has resulted in additional money devoted to cybersecurity,” BlackFog analysts found.”What it is is taxation with limited representation, where CISOs are being held accountable for a series of security controls, but the decisions are actually being made by committee,” said Fritz Jean-Louis, a principal cybersecurity advisor at Info-Tech Research Group and former CISO of The Globe and Mail. “They are being told that they are in charge of cybersecurity, but the reality is different. They have responsibility without actual power. They are influencing without direct responsibility.” Jeff Pollard, VP and principal analyst at Forrester, is already seeing signs of top CISO talent opting out of the role. “The CISO role was already thankless prior to these changes. And plenty of vendors exist out there that will gladly add a former operating CISO to their teams as an evangelist, thought leader, or even line of business leader. And those jobs are often better compensated than a traditional CISO role,” Pollard said. “More upside and far less downside makes shifting to vendorland an easy decision for most CISOs.”Andy Lunsford, CEO of cybersecurity vendor BreachRx, expects the supply of experienced security leaders to fall unless boards start delivering meaningful protections to CISOs, or give them full authority to make and enforce security decisions. “CEOs are going to be coming under fire from the SEC and different regulators. And the CISO isn’t going to be holding the bag forever,” Lunsford said. “There is still a lack of supply of experienced talented CISOs out there.”Lunsford also sees a more immediate problem associated with the CISO disconnect between responsibilities and authority. “The personal liability stakes are forcing CISOs to be more deliberate and measured with their decision-making. We have heard from many CISOs that they are more intentionally documenting decision-making of their own and that of senior leadership when it comes to making risk-based decisions,” Lunsford said. “On the surface, that may sound completely positive, but it has an impact of slowing decision-making and adding administrative burden when carried out manually without technology that automatically records their work and decision-making.”
Negotiating protections
Ultimately, whether CEOs provide CISOs with protections may be a factor of talent market dynamics. In the meantime, veteran security leader Jim Routh, who has held CISO-level roles at Mass Mutual, CVS, Aetna, KPMG, American Express, and JP Morgan Chase, counsels CISOs and prospective CISOs to push for key contractual protections.”Severance needs to be triggered by any change in reporting” structure, said Routh, who today serves as chief trust officer at security vendor Saviynt. CISOs “need the protection.”Other key elements, Routh said, are insurance protections and ensuring the enterprise pays any necessary fees from an independent attorney, one not beholden to the enterprise’s interests. CISO contracts should also deliver full indemnification, meaning that the enterprise will pay for any judgments, penalties, fines, or compensation directly related to the CISO’s official duties, Routh said.For example, insurance company Crum & Forster in November rolled out professional liability insurance explicitly designed for CISOs.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3631759/personal-liability-sours-70-of-cisos-on-their-role.html
