The level of burnout among CISOs is reaching critical levels. Struggling with limited budget while facing increasing pressure and possible personal liability, many are choosing to quit. And with cyber skills in short supply, there’s a limited pool of applicants that are keen or able to take their place, explains Bill Mew.
The lot of a Chief Information Security Officer (CISO), often seen as a fairly thankless task, is getting progressively worse at a time when cyber risk is reaching epidemic proportions. Back in September 2020 I wrote an article looking at the increasingly complex question of liability for cyber incidents. I predicted that before too long CISOs and other board members would be facing personal liability for cyber incidents.
In its State of the CISO 2023 research report Salt Security has found that almost half (48%) of CISOs are now concerned about personal litigation stemming from breaches, with almost as many worried about increased personal risk/liability (45%). It ranked as the top concerns for CISOs among a range of personal challenges including digital transformation, which included job-related stress, expanded responsibilities, bigger teams to manage and lack of time.
I was fortunate enough to meet up with Stephanie Best, the cybersecurity product marketing leader at Salt Security, who shared her insights on the research.
While globally the level of concern over personal litigation stemming from breaches was high at 48%, it appeared less of a concern in the US (46%) versus Europe (56%). It was highest of all however in the UK at 60%. This is despite the fact that we have so far seen very few cases of personal liability for cyber related incidents all of which were litigated in the US.
In a move that is causing a stir among cybersecurity professionals and will reinforce the fears expressed in the research, the US SEC has recommended legal action be taken against individual SolarWinds employees, including the CISO.
Never the less while fear of personal litigation dwarfed other concerns in all regions, CISOs had a fair number of other concerns to worry about.
Concerns about increasing job-related stress averaged 38% globally as it did in the US and Europe as a whole, but was higher in the UK at 43%. Meanwhile having expanded responsibilities, but not enough time to fulfil them, was of concern to 43% worldwide and was actually marginally higher in the US (44%) than in Europe (42%).
The prospect of an economic downturn may well squeeze budgets while increasing the burden of responsibility for CISOs. On top of this there is a wave of forthcoming regulation such as DORA (the EU Digital Operational Resilience Act) which introduces requirements for FS firms in the EU for cyber/ICT risk management, incident reporting, resilience testing, and third-party outsourcing – all of which will add further complexity and stress.
Arguably however the new wave of regulation on everything from critical infrastructure resilience to AI is simply building on responsibilities that has always existed – such as the Senior Managers and Certification Regime (SMCR), a financial services regulation in the UK that impose personal accountability on senior executives. The aspect that is starting to change is the notion that a bank or other organisation is to be held responsible for incident prevention and that responsibility should fall to the CISO.
This stems from a cultural blame phenomenon that is peculiar to cybersecurity. In any incident the press and public look for an over-simplistic narrative that identifies victims and villains. If bank robbers hold staff at gunpoint and seek to empty a bank’s vault, the robbers are quire obviously the villains and the bank, its staff and its customers are seen as the victims. However, if the same bank is hacked, the press and public will blame the bank itself for not having prevented it – even though the bank is the victim of a serious crime, it is seen as the villain for this failure. Hence why traditional crisis management techniques don’t work with a cyber incident.
At the same time too many organisations see cybersecurity as a technology problem that is simply the remit of the CISO, when in actual fact it is a business problem shared by all, with the CISO simply seeking to apply both preventative measures and a organisational culture that values data and its protection.
The extent to which CISO’s fears of personal litigation stemming from breaches is founded will be gauged by the number of cases brought against them following the new wave of legislation. Nevertheless the fact that the press and public already blame organisations for cyber failures should not be grounds for scapegoating the CISO when things go wrong. Instead they should be grounds for empowering the CISO to improve both prevention AND incident response, because it isn’t just the CISO whose head is on the block – the other board members are equally at risk – as is the organisation’s greatest asset – trust in its brand!