Blaming the CISO Is Counterproductive

Holding the chief information security officer responsible after a company discovers a data breach sounds like a no-brainer. Not long ago the CEO bore the responsibility, but increasingly CISOs have become the scapegoat, often losing their jobs, and sometimes facing legal culpability. This creates a precedent that could put companies at greater risk, argues Sue Poremba, writing for Security Intelligence. The CISO isn’t always the one making decisions about which security systems a company needs. That’s usually someone higher up the management ladder with more clout but less technical know-how. Most data breaches and other cyber incidents are caused by employees who use weak passwords, or fall for phishing emails and social engineering attacks. Boards of directors and high-level executives want to show their stakeholders and customers that someone with the word “security” in their job title is held responsible, but ultimately this can make organizations more vulnerable to attack. Poremba shows how two recent, highly-publicized major cyberattacks: SolarWinds and Uber, fed this trend. There’s already a serious talent shortage in the cybersecurity field, she says, and making the CISO personally liable for breaches could cause fewer people in the security industry to move into leadership roles.