BlackFog unveiled its research conducted with UK and US
IT Security decision makers.
The research revealed that the majority of respondents, 70%, felt that
stories of CISOs being held personally liable for cybersecurity
incidents has negatively affected their opinion of the role. Around a
third of respondents, 34%, believed that the trend of individuals being
prosecuted following a cyberattack was a ‘no-win' situation for security
leaders: facing internal consequences if they report failings and
prosecuted if they don't.
However, as cybersecurity leaders face increased scrutiny from
regulators, the research also indicated that the increased
accountability has led to internal changes to improve cybersecurity
practices within their organization: 44% of respondents stated that
their organization had already implemented processes to reduce their
cybersecurity exposure, as a result.
The other key findings show:
Increased Visibility for Cybersecurity
-
41% of respondents say the trend of cybersecurity leaders
facing increased scrutiny and the potential of personal liability has
made the Board take cybersecurity more seriously. This was higher
amongst UK respondents, with 47% of security leaders in the UK agreeing
it was given greater consideration as a result, versus 35% in the US.
-
This has yet to translate into more resources, as only 10% of all
respondents stated that this has resulted in additional money devoted to
cybersecurity.
Greater Transparency
-
Nearly half of all respondents, 49%, believe that the potential for an
individual to be prosecuted following a cyberattack would improve
accountability and transparency amongst cyber professionals. This was
higher for respondents in the US (55%) compared with those in the UK
(43%).
-
When asked about the impact on the cybersecurity leaders of the future,
however, only a small proportion of respondents, 15%, believed that it
would be a deterrent for IT professionals to become CISOs.
Commenting on the findings, Dr. Darren Williams, CEO and Founder,
BlackFog said: "The role of the CISO is all about managing risk for the
organization but, as regulations tighten, security leaders increasingly
need to consider their own personal risk. High profile instances of
individuals being charged will no doubt add to the pressures they feel
but could also be a catalyst for Boards to support their leaders.
Improvements to governance, clear lines of reporting and incident
response procedures are vital, but this must be supported by allocated
resources so that security leaders can implement the security measures
they need."