Rising CISO Liability: 93% of Organizations Revamp Security Policies

Introduction
Chief information security officers (CISOs) are under increasing scrutiny as high-profile breaches make headlines and regulators demand accountability. According to a recent survey of 1,000 security leaders by Fastly, 93% of organizations have changed their security policies in response to growing concern that CISOs could face personal liability for cyber incidents【955599603953553†L37-L79】.

A New Era of CISO Accountability
The survey, summarized by Infosecurity Magazine, found that nearly half of organizations have raised the CISO’s profile and resources. Forty-one percent reported that their security leader now sits on board committees, and 38% said they have increased legal support and professional liability coverage【955599603953553†L37-L79】. This shift comes in the wake of cases like the prosecution of Uber’s former CISO Joe Sullivan and charges against SolarWinds executives, which highlighted the personal risks facing cyber leaders. New regulations such as the EU’s NIS2 directive also make directors personally accountable for failing to manage cyber risk【955599603953553†L90-L103】.

Confusion and Compliance Challenges
Despite the heightened focus, the same survey shows that 46% of respondents are unclear about who is ultimately responsible for cybersecurity in their organization【955599603953553†L37-L79】. Without clear laws and standards, CISOs are caught between legal obligations, corporate governance and resource constraints. Experts interviewed by Infosecurity argued that regulators need to provide more granular guidance, while organizations must clearly define roles and responsibilities to avoid scapegoating【955599603953553†L90-L103】.

What CISOs Can Do

• Document all decisions, especially around risk acceptance and incident response.
• Engage the board regularly to ensure leadership understands cybersecurity posture.
• Advocate for adequate legal support and directors and officers (D&O) insurance.
• Push for multi-factor authentication, vulnerability remediation and security training.
• Encourage the organization to establish clear incident disclosure processes.

Conclusion
The specter of personal liability is changing the role of the CISO. While regulations and court cases send a message that negligence will not be tolerated, organizations can protect both themselves and their security leaders by clarifying governance structures, investing in legal and insurance protections and maintaining a strong security program.

Sources
[1] Infosecurity Magazine summary of Fastly survey noting that 93% of organizations have changed policies due to CISO liability concerns and that 41% have increased board participation and 38% have improved legal support【955599603953553†L37-L79】.
[2] Infosecurity Magazine discussion of regulatory pressure such as the EU’s NIS2 directive and calls for clearer standards on CISO liability【955599603953553†L90-L103】.