Most organizations change policies to reduce CISO liability risk

93% of organizations made policy changes over the preceding 12 months to address concerns about increased personal liability for CISOs, according to Fastly. This includes two in five organizations (41%) increasing CISO participation in strategic decisions at the board level.

CISO liability under the spotlight

In late 2023, newly adopted regulations such as the SEC rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies as well as other headlines have put an increased focus on corporate accountability for data breaches, raising an increased concern of CISO liability.

To reduce this risk, 38% of Fastly research respondents have promised “increased scrutiny of security disclosure documentation from supervisory agencies” while 38% have improved legal support for cybersecurity staff, including liability insurance, and corporations have allocated more resources to security in the past year.

“It’s encouraging to see the vast majority of companies making changes to liability disclosure given the inevitability of another worldwide outage that will put CISO accountability back into the spotlight. However, while investing in legal protection is an important step, this change is often more about shielding organizations from legal risk rather than fostering meaningful accountability to drive better security practices,” says Fastly CISO, Marshall Erwin.

“Proper accountability requires moving beyond liability insurance and disclosure edits. For meaningful change, we need to view accountability as a positive force to incentivize better security. For that, we need better, clearer standards from regulators and enforcers that distinguish between unavoidable incidents and avoidable ones resulting from truly deficient security practices,” added Erwin.

Organizations struggle with cybersecurity incidents accountability

Research also found that 46% of organizations are unclear about who holds ultimate responsibility for cybersecurity incidents whilst only 36% have clearly delineated roles and responsibilities within their teams.

“CISOs do not make the final call on every decision. When it comes to security risks, the question a board should be asking is, ‘Are we aligning the budget to address the risks the CISO has communicated to us?’ This is where accountability should start – at the senior leadership level, with clear communication and alignment of resources,” concluded Erwin.

This responsibility doesn’t just fall on one person – it requires clear communication at every level of the organization to understand how and why cybersecurity risks should be mitigated and how efforts should be aligned to reduce exposure.

Cyber recovery takes longer than expected

Organizations are not as good at recovering from cyber incidents as they think. On average, they expect recovery to take 5.85 months. In practice, it takes around 25% longer, at 7.34 months. Recovery times rise as cybersecurity investment falls. Companies that plan to spend less during the coming year expect recovery to take over 8 months.

Almost no companies are untouched by cyber incidents. On average, they have suffered almost 40 known cyber incidents in the last year, and fewer than one in ten have experienced none. US organizations have seen the most – on average one incident per week. Larger organizations have fared even worse, with 64 incidents a year on average, reflecting their high attack surface.

Plenty of threats stem from simple mistakes. Misconfigured IT assets have caused problems for 25% of respondents. Other problems include software bugs (33%). However, the patches and other IT changes to stop them often don’t come quickly enough, causing security problems for 18% of companies.

Skills are a big stumbling block in cybersecurity, with 30% of respondents citing a lack of skills to counter modern security threats as a challenge. 47% haven’t invested enough in cybersecurity talent through new hires and wage increases. Training and talent acquisition is the top priority in the coming year, at 28%.