Security leaders do not want to be held personally liable for attacks
- A third of security professionals view CISO roles as ‘no-wins’
- Companies still do not provide security personnel with sufficient resources
- 15% say threats of prosecution prevent them from taking on a CISO role
Amid the ongoing skills shortage, new research has revealed why many IT experts are unwilling to take on a cybersecurity role, despite healthy earning potential.
Seven in 10 IT security decision makers surveyed by BlackFog say stories about CISOs being held personally liable for cybersecurity incidents have negatively impacted the way they view the role, putting them off to grow into management and leadership positions.
Additionally, survey participants added that leaders with responsibility often find themselves in a no-win situation, which only adds to the stress of the role.
Cybersecurity workers don’t want the pressure
One in three (34%) noted that safety leaders would either face internal consequences if they did not report their findings, or face public criticism and possible prosecution if they did. However, the pressure doesn’t just come from within, as regulatory measures impact how companies deal with cybersecurity incidents.
Nearly half (44%) added that their companies have already implemented processes to reduce their cybersecurity exposure to avoid regulatory scrutiny and liability.
Two in five (41%) also noted that their boards are taking cybersecurity more seriously as a result, but security professionals are still waiting for leaders to take action, for example by providing more resources; only 10% see more money being spent on cybersecurity efforts.
“The role of the CISO is all about managing risk to the organization, but as regulations become more stringent, security leaders must increasingly consider their own personal risk,” said BlackFog CEO Dr. Darren Williams.
The survey revealed a clear divide: half (49%) believe that the possibility of an individual being prosecuted following a cyber-attack would improve accountability and transparency, while 15% say it would deter them from engaging in to take on a CISO role in the future. .
Dr. Williams called for clearer governance and procedures for reporting and responding to incidents, but cybersecurity workers, including CISOs, need the support of their companies.