Blaming the CISO Is Counterproductive

December 15, 2022

data-security-and-privacy-concept-visualization-of-personal-or-vector-id1162361864

Holding the chief information security officer responsible after a company discovers a data breach sounds like a no-brainer. Not long ago the CEO bore the responsibility, but increasingly CISOs have become the scapegoat, often losing their jobs, and sometimes facing legal culpability. This creates a precedent that could put companies at greater risk, argues Sue Poremba, writing for Security Intelligence. The CISO isn’t always the one making decisions about which security systems a company needs. That’s usually someone higher up the management ladder with more clout but less technical know-how. Most data breaches and other cyber incidents are caused by employees who use weak passwords, or fall for phishing emails and social engineering attacks. Boards of directors and high-level executives want to show their stakeholders and customers that someone with the word “security” in their job title is held responsible, but ultimately this can make organizations more vulnerable to attack. Poremba shows how two recent, highly-publicized major cyberattacks: SolarWinds and Uber, fed this trend. There’s already a serious talent shortage in the cybersecurity field, she says, and making the CISO personally liable for breaches could cause fewer people in the security industry to move into leadership roles.

Critical intelligence for general counsel

Stay on top of the latest news, solutions and best practices by reading Daily Updates from Today's General Counsel.

Daily Updates

Sign up for our free daily newsletter for the latest news and business legal developments.

Scroll to Top