The growing trend of holding Chief Information Security Officers (CISOs) personally accountable for security failures is causing hesitation among security professionals in accepting these positions.


Former Uber CISO Joe Sullivan [1] [2], who was convicted in 2022 for concealing the theft of personal information [1] [2], discussed the broader consequences of CISOs being held responsible for security incidents [1]. He highlighted recent charges against SolarWinds and its CISO for downplaying cyber risks [1]. Sullivan emphasized the unique role of CISOs and the lack of regulatory clarity they face [1]. Despite the personal risks involved [1], he advised CISOs to develop incident response plans [1] [2], foster better internal relationships [1] [2], assemble a trusted team [1], and establish efficient incident response protocols similar to fire stations. Sullivan believes the security industry is at a critical juncture [1], and professionals must determine how they wish to be perceived [1]. This trend is causing CISOs to focus on self-preservation rather than the larger picture [2], leading some to contemplate leaving the profession. However, Sullivan sees an opportunity for change in cybersecurity regulation [2]. He recommends that CISOs also create personal incident response plans, cultivate stronger internal relationships [1] [2], and ensure the presence of a reliable security team.


The increasing trend of holding CISOs personally liable for security failures has significant implications. It is discouraging security professionals from assuming these roles and potentially hindering the overall effectiveness of cybersecurity efforts. To mitigate these concerns, CISOs should prioritize developing incident response plans, fostering better internal relationships [1] [2], and assembling trusted teams. Additionally, there is a need for clearer regulatory guidelines in the cybersecurity industry. By addressing these challenges, the profession can evolve and adapt to the changing landscape, ensuring the protection of critical information and systems.