IT Brief Australia - Technology news for CIOs & IT decision-makers
Australia
Guides
#
artificial intelligence
#
digital transformation
#
disaster recovery
#
hybrid & remote work
#
internet of things
Search
Story image
#
Risk & Compliance
#
Cybersecurity
#
Insurance

Organisations question CISO liability policy effectiveness

Today
Author image
By Catherine Knowles, Journalist

Research conducted by Fastly has indicated that while a majority of organisations have implemented policy changes to mitigate personal liability risks for Chief Information Security Officers (CISOs), the effectiveness of these measures remains questionable.

The study surveyed 1,800 cybersecurity leaders globally and highlighted that 93% of organisations have introduced policy adjustments over the past year to address the personal liability concerns of CISOs. Of these organisations, a notable 41% have actively increased the involvement of CISOs in strategic decision-making at the board level.

Regulatory developments, such as the SEC's newly adopted rules on Cybersecurity Risk Management, have amplified the focus on corporate accountability for data breaches. This regulatory landscape has pressured companies into providing greater legal support and scrutiny around cybersecurity practices. According to the research, 38% of the surveyed organisations have pledged to enhance the scrutiny of security disclosure documentation, and another 38% have bolstered legal support for cybersecurity staff, which includes liability insurance.

Fastly's Chief Information Security Officer, Marshall Erwin, commented on the findings, stating, "It's encouraging to see the vast majority of companies making changes to liability disclosure given the inevitability of another worldwide outage that will put CISO accountability back into the spotlight. However, while investing in legal protection is an important step, this change is often more about shielding organizations from legal risk rather than fostering meaningful accountability to drive better security practices." He further noted, "Proper accountability requires moving beyond liability insurance and disclosure edits. For meaningful change, we need to view accountability as a positive force to incentivize better security. For that, we need better, clearer standards from regulators and enforcers that distinguish between unavoidable incidents and avoidable ones resulting from truly deficient security practices."

The research identifies a significant gap in organisational clarity regarding responsibility for cybersecurity incidents. Nearly 46% of organisations remain unsure about who holds ultimate responsibility, with only 36% specifying clear roles and responsibilities within their teams.

Marshall Erwin added, "CISOs do not make the final call on every decision. When it comes to security risks, the question a board should be asking is, 'Are we aligning the budget to address the risks the CISO has communicated to us?' This is where accountability should start - at the senior leadership level, with clear communication and alignment of resources."

Erwin emphasizes that shared responsibility within companies is key, necessitating transparent communication across all organisational levels. The understanding and mitigation of cybersecurity risks must be aligned to collectively reduce exposure.

The report suggests that industries need to better prepare for potential high-profile incidents by adopting stronger frameworks that incentivise effective actions beyond mere compliance. Organisations are encouraged to view CISO liability not as a liability threat but as an opportunity to reinforce their security frameworks and promote long-lasting organisational change.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
RMM Best Practices for 2025 – All You Need to Know
Netskope enhances NewEdge for superior security & speed
Trojan banker attacks on Android rise 196% in 2024
Yubico & Microsoft partner on phishing-resistant MFA
Secureframe launches new tool to streamline compliance
Top stories
MSP report forecasts growth in revenue & cybersecurity
Companies eager to adopt AI face data quality challenges
IBC selects eight projects for 2025 media innovation
DoiT announces USD $250m fund to boost AI automation
Red Hat partners with Orange for telco cloud transformation