Blogs & Opinions 18.07.2024

How CISOs Can Navigate Legal Risk and Accountability

CISOs are often stretched thin, often without the same protections as other executive team members.

CISOs can only thrive if they have the right support. With increasing legal pressure and a fast-evolving to-do list, Mike Britton takes a look at what it takes for a CISO to succeed

The role of the CISO has expanded dramatically as digitalisation accelerates and organisational demands evolve. No longer confined to securing IT infrastructure, modern CISOs are now tasked with overseeing areas such as operational technology (OT) security, managing cyber risks, ensuring operational resilience, and driving innovation. This broadening scope is welcomed by security teams who recognise its necessity, but it also brings heightened pressure. Recent high-profile cases, such as the  sentencing of former Uber CSO Joe Sullivan, highlight the growing scrutiny – and even legal risk — that CISOs face. The high-stakes nature and constant pressure of this role often deter potential candidates at a time when their expertise is more crucial than ever.

Cyber attacks are on the rise, yet CISOs often face shrinking budgets, forcing them to do more with less and continually adapt to new and complex security challenges. So, how can CISOs elevate their roles to make the greatest impact?

Shared responsibility for impactful CISO leadership

As the role of the CISO has expanded, effective cybersecurity has required the partnership between CISOs and business leaders to grow. However, despite its importance, the role often lacks the necessary resources and support to be truly recognised as a C-level position. The onus is often on the CISO to appeal to the business’s strategic interests; however, it is equally as vital for business leaders to understand the security team’s challenges and strategies and actively engage in cybersecurity efforts.

“The high-stakes nature and constant pressure of this role often deter potential candidates at a time when their expertise is more crucial than ever” Mike Britton 

The most effective CISOs can balance technical and business priorities with the ability to translate cyber risks into business terms to gain broader support. At the same time, organisations should foster a culture where leaders are inquisitive about cyber risks and seek ways to support security teams. Setting the ‘tone at the top’ is crucial; the entire leadership team must consistently advocate for cybersecurity, demonstrating their commitment through tangible actions, not just rhetoric. This collaborative approach ensures cybersecurity is well-supported to drive organisational success, while protecting the organisation from ever-evolving threats.

Navigating the boardroom

Like nurturing relationships with senior leadership within the company, CISOs can also benefit from garnering support from another group of influential decision makers: their board. This will require security leaders to adeptly navigate the diverse personalities of board members and understand their unique expectations and priorities to effectively align messaging and garner support.

Effective communication is key, and CISOs must clearly articulate what they need from their board to be successful. Board communication should present a clear picture of programme maturity, organisational risks, and areas for improvement. One effective approach is storytelling, which translates complex issues into relatable terms for board members who may not be familiar with technical jargon or the cyber threat landscape in general.  CISOs should also be continually prepared to answer the board’s questions and ensure they leave meetings with a clear understanding of their role in corporate governance alongside actional next steps to expand security best practices.

Additionally, CISOs should be prepared to discuss the implications of new technologies like AI on the company, both positive and negative. Creating awareness around emerging threats, especially those that are enabled through AI, can help ensure that the board is engaged in evolving cybersecurity practices.

Consistent expectations and liability coverage

There is a common expectation that security must be flawless, as one severe attack can spell the end of a CISO’s career. The intense pressure to be perfect, combined with staffing challenges in a competitive job market, means CISOs are often stretched thin – and often without the same protections as other executive team members.

It’s currently uncommon for companies to provide full liability coverage for CISOs. This lack of support can incur immense stress and contribute to turnover, which disrupts organisational security. When a CISO leaves, it creates instability and stress among the staff and leaves the organisation ill-prepared to deal with a security incident should one arise before a new leader is in place.  And when a new leader arrives, they may bring in their own team, prompting existing employees to seek new opportunities. This cycle can be highly disruptive for the company’s security talent and hamper the effectiveness of their security programme.

To prevent turnover, organisations must provide robust support for their security leaders, including comprehensive liability coverage. This will help retain talent and ensure that CISOs can focus on their critical tasks – without the constant fear of job loss due to factors beyond their control.

There is little denying that CISOs can make a major difference in their organisations, but their ability to thrive and perform effectively in their roles requires support and stability. Organisations must foster a collaborative culture where CISOs feel heard, understood, and championed. This support ensures CISOs can focus on safeguarding the organisation, ultimately leading to a more resilient and secure business environment for leaders and employees alike.

Mike Britton is the CISO of Abnormal Security. Prior to Abnormal, Mike spent six years as the CSO and chief privacy officer for Alliance Data and previously worked for IBM and VF Corporation. He brings 25 years of information security, privacy, compliance, and IT experience from multiple Fortune 500 global companies. Mike holds an MBA from the University of Dallas and a BA in Political Science from the University of Mary Washington.

 

Latest articles

Be an insider. Sign up now!