How to Navigate Personal Liability as a CISO
So the CISO role has multiplied in responsibilities yet again: CISOs must now figure out how to minimize professional AND personal risk. Until recently, the personal risk for a CISO in the face of a cyber attack or breach was losing their job, now it could be far worse.
The inevitability of a cyber-attack is looming, so let's talk about how to navigate the risks to best demonstrate your initiatives and ensure your assets are covered.
1. Strong defenses are necessary to prevent attacks, maintaining strong defenses includes:
Clarifying roles and responsibilities is one way to strengthen your defenses: Clear roles prevent confusion and gaps so employees will know where to turn to in case of an emergency. Having a definitive, bureaucratic procedure for assigning roles is not the norm for risk management, but it can be a healthy aspiration.
From broad decision-making to tactical incident response/playbooks, drawing up responsibilities can help plan what to do in the event of an incident. It replaces assumptions with organizational clarity. Legal, communications, the CEO, and other executive representatives can all benefit from being prepared.
It's vital to have a well-defined framework: Overall, a well-defined compliance framework shows evidence of planning and organization-wide proactivity. Cybersecurity is being taken seriously and there is cybersecurity awareness.
At the heart of a strong defense is a robust cybersecurity program: Having safety measures in place provides protection and makes it less likely for attacks to become catastrophic. Implementing the program diligently in a way that is complete and comprehensive is imperative. Aligning with industry standards is a must-do. It is a shield against liability, a protection through competence. Additionally, regulatory requirements are exhausting but they are worth it when it comes to avoiding liability as well as maintaining a good cybersecurity program and reputation.
2. The narrative is malleable. Take advantage of your opportunity to catalog events and communicate.
Documentation is the responsibility of the CISO: The CISO, who is always held accountable to the board, auditors, and potential court cases needs to carefully track everything. Having documentation is also a form of protection. Records can contain details on regular assessments, assessment results, and changes made in reaction to them. Details can be recorded related to the incident response plans to show that you, as a CISO, are planning to be prepared for the worst.
Have a good relationship with the board, management, and other stakeholders: The board needs to know about the organization's cybersecurity posture so that they can make informed decisions about where to allocate funds. Communication builds trust and generates support which can lead to better posture and therefore better protection.
Ensure the accuracy of information shared with the public: CISOs should review and approve public statements about their security stance. By paying attention to statements and checking with the security team first to make sure it’s accurate CISOs can prevent getting sued for misrepresentation/misinformation.
3. Cybersecurity Insurance is not a complete shield, but it does help.
CISOs should make it their business to know and inquire (for their records) about their individual duties, liabilities, and protections. If something looks fishy, they can request or attempt to change the circumstances. When negotiating, one argument CISOs can employ is to explain how the proposed changes would benefit their organization “With my added protection comes added freedom to do what is best for the organization without having to consider other factors (i.e.- personal risk.)”
Legal/contractual protections like indemnification clauses in your employment contract protect you financially. On the organizational level, there should be Directors and Officers (D&O) insurance to provide coverage for claims related to cybersecurity. This is limited, though. It will not cover criminal liability or governmental liability. Looking into additional personal insurance is responsible and so is finding personal counsel.
The CISO role is a complex responsibility and it is ceaselessly gaining additional, nuanced aspects. It is a role that comes with a lot of responsibility, liability, and risk — cyberattacks can affect CISOs personally, professionally, and ethically. Hopefully, these strategies that we listed can help limit this vulnerability they are now facing.
