The Growing Legal Perils for Chief Information Security Officers

According to an article by DarkReading, there is an increasing trend of targeting chief information security officers (CISOs) and Infosec professionals who are now under unprecedented scrutiny and prosecution in the wake of major cyberattacks.

One example highlighted in the article is Joe Sullivan. In April 2016, President Obama appointed Sullivan, then Uber’s Chief Security Officer, to the Commission on Enhancing National Cybersecurity. Despite his extensive background, including roles at the Department of Justice and prosecuting the first Digital Millennium Copyright Act (DMCA) case, Sullivan faced legal issues for mishandling a 2016 data breach and remains in court defending himself. 

The government has historically used various methods to encourage corporate cybersecurity, transitioning from public-private partnerships to placing more responsibility on larger corporations, as seen in the Biden administration’s 2023 National Cybersecurity policy. 

With Congress polarized, the executive branch resorts to lawsuits to set precedents in cybersecurity enforcement. Sullivan notes that while targeting foreign hackers is ineffective, US-based security leaders are often scapegoated to deter negligence and promote better corporate practices.

However, according to other experts cited in the article, this approach may deter top talent from CISO roles, leading to underqualified individuals filling these critical positions. 

Jess Nall of Baker McKenzie LLP stresses the need for security leaders to understand government investigations, company interactions, and resolution incentives. Building strong communication and collaboration within organizations can protect Chief Information Security Officers from being singled out. 

Karthik Swarnam of ArmorCode advises establishing clear risk communication channels and involving board members in cybersecurity decisions to mitigate risks and distribute responsibility.

Ultimately, Nall and Sullivan agree that robust cross-functional communication is crucial for security leaders to navigate legal challenges and ensure organizational resilience.