The White House is considering a ban on ransomware payments, which could change the chief information and security officer (CISO) job. The ban would would elevate the cybersecurity conversation to the CEO, the CFO, and the board, and potentially end the practice of scapegoating CISOs when a breach happens. This is a significant shift: after Uber’s former chief security officer was convicted for his role in covering up a 2016 cyberattack, CISOs had more reason to worry of the personal liability that came with the job. Here’s how companies should prepare for this new landscape right now: prepare for the worst, make senior leadership own the cybersecurity conversation, and test their security posture and regularly audit internal processes and employee security training to pinpoint gaps in cyber readiness.
Chief information security officer (CISO) burnout has been a problem in the industry for the better part of the past decade, and it seems to only be getting worse. With cyberattacks on the rise, managing wider and more complex attack surfaces, and mounting pressure to do more with tighter budgets, it’s no wonder three in four CISOs in the U.S. report feeling burned out. CISOs today aren’t just juggling resources — they’re in dual CIO/CISO roles in an effort to streamline strategy and further cut costs. And when security breaches and ransomware attacks occur, CISOs often automatically shoulder the blame.
Is this fair? Principally, no. But in practice, this is what typically happens: A breach occurs, often due to some kind of misconfiguration or lax security practice within the organization or a third-party software provider, and, to save face with customers (and the board), a new CISO is swapped in for the old.
Recently, however, the stakes for CISOs have gone up. This May, former Uber chief security officer Joe Sullivan was convicted for covering up the severity of Uber’s 2016 cyberattack after paying bad actors $100,000 to keep the breach under wraps. A survey this year found that 62% of CISOs are worried that when a breach occurs, they’ll be held personally accountable. As the Wall Street Journal explains, “relentless cyberattacks and pressure to fix security gaps despite budget constraints are raising the stress levels of corporate cyber leaders and their worries about personal liability.”