Why Regulations and Lawsuits Are Persuading CISOs to Take Out Indemnity Insurance

Jonathan Gill explains how a system of record could drive collaboration, improve accountability and protect CISOs from litigation

Even by the tough standards of the job, the past few years have been bruising for chief information security officers (CISOs). On top of the day-to-day task of keeping companies safe, they must contend with external forces that now shape the role more than ever.

Pressure hit a new high in 2023 and hasn’t dipped since. In October, the US Securities and Exchange Commission (SEC) charged SolarWinds Corporation and its former CISO with fraud and internal control failures linked to the 2020 attack. It was the first time a CISO faced SEC charges over a breach, and foreshadowed closer scrutiny of security disclosures in shareholder reporting. Errors or omissions now carry personal and corporate risk, with CISOs in the firing line for inaccuracies.

At the same time, pressure on senior executives has increased on this side of the Atlantic, through regulations such as DORA and NIS2. The UK’s Cyber Security and Resilience Bill is similarly expected to place increased accountability on the shoulders of CISOs and their peers.

Little surprise, then, that nearly three quarters of corporate security leaders have taken out indemnity insurance to cover themselves. These are symptoms of an approach that doesn’t scale to meet the demands of today’s interconnected technology, business, threat and regulatory landscapes. To move beyond a blame culture, they need clear, timely information that better quantifies risk, underpins decisions with trusted data, and helps to drive accountability.

A business problem, not a CISO problem

Cybersecurity now touches the whole organisation. It is a business issue, not a problem for the technology team alone. In fact, most CISOs only control a fraction of the tools, processes and people needed to do the actual work. The rest may be owned by colleagues with little understanding of what is a complex, highly technical subject. Additionally, while CISOs are held accountable for security, they generally don’t have the authority to ensure other responsible parties follow through on their obligations.

“CISOs who close the accountability gap with a system of record can improve accountability”

These challenges are compounded by the rapidly expanding corporate IT footprint. With new tools, users and vulnerabilities added to the digital estate on a daily basis, CISOs are losing sight and control over security. This means that, in most organisations, thousands of unknown assets may slip through the gaps. Visibility and control is fragmented across dozens of cyber tools, increasing complexity exponentially.

While other business functions run on a system of record, CISOs don’t have this luxury. People teams have Workday. Sales has Salesforce. Finance has SAP. CISOs, on the other hand, have spreadsheets. Without a single source of truth they cannot maintain an accurate asset inventory, verify control status, assign ownership, translate cyber risk into business terms, hold the business to account or track remediation.

The inevitable outcome is preventable breaches that are hard to explain to the board, regulators and customers. These incidents increase pressure on CISOs and heighten exposure to litigation and compliance failures.

Closing the accountability gap

With this sword of Damocles constantly swinging over their heads, CISOs must bridge the gap between control and accountability. They need a system of record they can trust to ensure they are reporting accurately and in good faith.

Traditional security tools can only report on what they can see. They don’t know what they’re missing, or where they are not deployed but should be. These tools are unreliable witnesses because they lack a true denominator: a full, verified inventory of all assets and security controls. Without this, CISOs can’t confidently assess coverage gaps or prove compliance with evolving regulatory demands.

“In most organisations, thousands of unknown assets may slip through the gaps”

By shining a light on these areas of vulnerability and giving context to threats, security practitioners can validate, prioritise and collaborate with control owners to address the areas of greatest risk. With this foundation in place, cybersecurity can then be translated for stakeholders who need to carry out tasks or understand progress, removing the technological and human friction that blocks accountability, risk management and compliance.

This spreads responsibility across the business and lowers the odds of a preventable breach. CISOs who close the accountability gap with a system of record can drive collaboration and improve accountability. And in the process, they can protect themselves from litigation and regulatory action.