CISOs Worried About Personal Liability For Breaches

Written by

Over three-fifths (62%) of global CISOs are concerned about being held personally liable for successful cyber-attacks that occur on their watch, and a similar share would not join an organization that fails to offer insurance to protect them, according to Proofpoint.

The security vendor polled 1600 CISOs from organizations of 200 employees or more across different industries in 16 countries, to compile its Proofpoint 2023 Voice of the CISO survey.

It revealed that CISOs in sectors with high volumes of sensitive data and/or heavy regulation such as retail (69%), financial services (65%) and manufacturing (65%) are most likely to demand insurance coverage.

Such concerns only add to the mental load on corporate IT security bosses. A combination of high-stress working environments, shrinking budgets and personal liability could be harming CISOs’ quality of life. Some 60% told Proofpoint they’ve experienced burnout in the past 12 months.

CISOs are most likely to experience burnout in the retail (72%) and IT, technology and telecoms (66%) industries.

Read more on CISO stress: Quarter of CISOs Self-Medicate as Pandemic Stress Spikes.

Nearly two-thirds (63%) of respondents said they have had to deal with the loss of sensitive information in the past year, with a similar number (61%) claiming their organization would not be able to cope with a targeted attack. 

Email fraud (33%), insider threats (30%), cloud account compromise (29%) and DDoS attacks (29%) topped the list of concerns.

Although insider negligence edged out malicious and compromised users as the leading cause of data loss events last year, more CISOs believe malicious insiders (43%) will cause a breach or data exposure in the next 12 months than compromised (40%) insiders do currently.

The report was released just days after former Uber CISO Joe Sullivan managed to escape jail time for his part in covering up a major breach at the firm.

However, on sentencing him to three years of probation, the judge in the case also warned that if there were a similar case tomorrow, the defendant would be heading to prison.

What’s hot on Infosecurity Magazine?