Introduction
In recent years, organizations have increasingly focused on addressing the personal liability of Chief Information Security Officers (CISOs) due to heightened regulatory scrutiny and evolving cybersecurity threats. This shift has led to significant policy changes and resource allocation aimed at enhancing corporate accountability and improving security practices.
Description
Nearly all (93%) organizations have implemented policy changes in the past year to address concerns regarding personal liability for Chief Information Security Officers (CISOs) [3] [4] [6]. This includes 41% of organizations increasing CISO involvement in strategic board-level decisions [1] [4] [6]. The introduction of new regulations [6], such as the SEC rules on Cybersecurity Risk Management and Incident Disclosure [3] [4] [5], has heightened corporate accountability for data breaches [3] [4] [5] [6], intensifying concerns about CISO liability [3] [4] [5] [6].
In response to these risks, 38% of organizations have committed to enhancing scrutiny of cybersecurity disclosure documentation and improving legal support for cybersecurity personnel [3] [4] [6], including acquiring liability insurance [1] [2] [3] [4] [5]. Despite these efforts, nearly half of organizations (46%) remain uncertain about who is ultimately responsible for cybersecurity incidents [5] [6], with only 36% having clearly defined roles and responsibilities within their teams. This gap underscores the need for effective communication at all organizational levels to address and manage cybersecurity risks.
Additionally, corporations have allocated more resources to security initiatives over the past year [3]. Notable cases highlighting these trends include the conviction of former Uber CISO Joe Sullivan in 2022 for covering up a data breach and the SEC’s charges against SolarWinds and its CISO Tim Brown in October 2023 for allegedly downplaying cyber risks [1].
As regulatory standards evolve [5], organizations should view CISO liability as an opportunity to enhance security postures and foster long-term improvements [5]. Marshall Erwin [2] [5], CISO at Fastly [5], emphasizes the importance of clearer regulatory standards that differentiate between unavoidable incidents and those resulting from inadequate security practices to foster meaningful accountability and improve security practices. Effective accountability requires alignment of resources with identified risks across the organization.
Conclusion
The evolving landscape of cybersecurity regulations and the increasing focus on CISO liability present both challenges and opportunities for organizations. By proactively addressing these issues through policy changes, enhanced legal support, and resource allocation [6], companies can improve their security postures and foster a culture of accountability. As regulatory standards continue to develop, organizations must remain vigilant and adaptable, ensuring that their cybersecurity strategies are robust and aligned with emerging risks.
References
[1] https://www.infosecurity-magazine.com/news/ciso-liability-risks-policy-changes/
[2] https://www.itpro.com/business/business-strategy/how-enterprises-are-adapting-to-personal-liability-rules
[3] https://www.securitysolutionsmedia.com/2025/03/05/fastly-research-reveals-93-of-organisations-working-to-reduce-ciso-liability-risk/
[4] https://markets.financialcontent.com/stocks/article/bizwire-2025-3-4-fastly-research-reveals-93-of-organizations-working-to-reduce-ciso-liability-risk
[5] https://vmblog.com/archive/2025/03/04/fastly-research-reveals-93-of-organizations-working-to-reduce-ciso-liability-risk.aspx
[6] https://www.securitymagazine.com/articles/101437-36-of-organizations-have-outlined-roles-within-cybersecurity-teams
