The rise of CISO stress: Recognising and reconciling the threat of litigation for CISOs
As the economy shifts further towards a digital-first mindset, CISOs have found themselves increasingly impacted on a personal level. From managing bigger teams to increased risk and responsibility, the role of CISO extends well beyond the typical 9-5. Worryingly, according to a recent Gartner study, around 50% of CISOs are expected to change jobs by 2025, which, given the cybersecurity skills gap and talent shortage, is particularly concerning news. Furthermore, according to the Salt Security State of the CISO report, an increase in work-related stress is deemed as one of the top challenges for CISOs, with 43% of CISOs reporting it as a top concern. Stress, if left unmanaged, can have huge and sustained effects on well-being and mental health.
The threat of Litigation is the Biggest Personal Stressor for CISOs
The same Salt Security State of the CISO survey revealed that one of the biggest stressors for CISOs is the risk of personal litigation stemming from breaches. In fact, the survey showed that nearly half of CISOs worldwide view this as a significant personal barrier to doing their jobs. It's not surprising that CISOs would be concerned by this. A fresh litigation trend with unsettling implications has emerged. Recent headlines have been marked by several high-profile lawsuits targeting CISOs, who are being held accountable for security breaches and associated inadequacies in their incident response protocols.
Consider the case of the former CISO of Uber, who was held liable by the government "for his involvement in concealing a 2016 data breach."The breach, which exposed the personal data of tens of millions of Uber users, resulted in a $50,000 fine for the CISO.
More recently, SolarWinds found itself in a precarious situation due to the 2020 SUNBURST supply chain attack, which placed companies and government agencies using its Orion software in jeopardy. In this instance, the Securities and Exchange Commission (SEC) issued Wells notices to multiple SolarWinds employees in June 2023, signifying its intention to initiate enforcement actions.
With litigation a serious concern, it's no wonder it's hard to obtain and retain the right talent. A recent survey by the International Cyber Expo revealed that 15% of the public would hold the CEO or board members of a targeted organisation responsible if a cyberattack were to occur. Even more worryingly, 14% of respondents believe the software developers behind cybersecurity solutions should face the harshest penalty in the event of a data breach at an organisation. The public's preferred punishment for individuals responsible for a data breach? Over a third of the population said prison.
It's even less surprising that, as a result, security professionals hurtle towards burnout (by working overtime, missing holidays and family commitments, etc.) in an attempt to stop breaches from happening in the first place. In a climate where the role of the CISO holds unprecedented importance, these professionals might start declining top job offers or demanding indemnification and insurance, leading to additional business needs and complexities.
Four Steps to Reduce the Stress of Litigation
There are four steps that high-ranking security professionals and business leaders can take to mitigate and manage this concern and reduce stress:
Foster a Collaborative Security Culture
A security breach should not result in a single individual being scapegoated. However, cultivating a culture of security is a top-down endeavour. The entire C-suite and board of directors must emphasise the significance of security across all cross-functional departments. Every member has a role in ensuring the safety and security of the organisation's data and assets.
Moreover, organisations should establish a robust security incident reporting process that documents the sequence of events and ensures that key stakeholders—such as the board, other C-level executives and cybersecurity working groups—are promptly informed should any issues arise. With escalating security risks, these protective measures should be universally adopted.
Putting an End to the Blame Game
The concerns of CISOs regarding personal litigation arising from breaches demand attention. Similar to eradicating the aforementioned scapegoating, assigning sole accountability to top security leaders for breaches initiated by cybercriminals is unjust. This becomes increasingly crucial considering the upward trajectory of security threats, as cybercriminals adopt new tactics and technologies like AI to infiltrate and attack organisations.
Enforce a Policy of Transparent Communication About Security Breaches
In the event of a security incident, organisations must be forthright about the occurrence, promptly sharing information with affected parties and providing guidance and an open line of communication regarding necessary precautions until the threat is contained.
This policy should encompass external and internal communications as part of the disclosure protocol. Swiftly acknowledging and resolving identified issues should be embraced without hesitation.
Consider Solutions That Provide Visibility to Counter the Most Significant Potential Threats.
CISOs should possess security tools that offer a comprehensive overview of the interconnected risks dispersed across an organisation's APIs, applications, infrastructure, and data repositories.
These insights and visibility empower CISOs to showcase their success in reducing security control gaps and mitigating security threats.
Regrettably, CISOs often encounter challenges in garnering stakeholder support for requisite resources. In the same 2023 Salt Security CISO survey, for instance, more than one-third of global CISOs reported difficulties in justifying the cost of security investments to address escalating risks.
Litigation Threat: A Shared Responsibility
Business leaders share the responsibility alongside CISOs and must ensure processes are in place to support this shared accountability. Organisations must display integrity by openly addressing potential security incidents to safeguard all potentially affected parties. Above all, enterprises must allocate the necessary budget to their security teams to procure the tools and build the teams required to effectively defend an expanding attack surface against malicious actors armed with new tools of disruption. APIs, which make up the building blocks of modern enterprises, are a good place to start, as they represent a route for even the most amateur attackers if not properly secured. By doing so, organisations can minimise allegations of negligence and demonstrate that they have diligently employed all available precautions to safeguard their infrastructure and critical data.