Cyber Liability: CISOs Must Be Prepared for AccountabilityPanel Discusses Strategies for CISOs to Navigate Executive Liability
As organizations grapple with an increasingly complex and interconnected digital landscape, top-level executives, particularly CISOs and CIOs, are faced with heightened executive liability. With the high-profile cases of CIO Carlos Abarca and CSO Joe Sullivan serving as stark examples, the message is clear - executives cannot afford to be complacent.
Security leaders must be meticulous in their decision-making and equipped with the right support networks to navigate the intricate terrain of executive liability.
Andrew Robson, CISO at Bentley Motors, said security professionals can no longer assume existing controls are sufficient. It's crucial to verify that controls and risk management solutions are functioning effectively.
Security leaders also must be prepared to justify their decisions not only to their boards but also to external regulators and even prosecutors, said Quentyn Taylor, senior director of information security and global response at Canon.
Attorney Jonathan Armstrong of Cordery Compliance warned about a growing trend of prosecutors targeting individuals within corporations, placing CISOs and CIOs at risk of personal accountability.
"If the chips are down, you may have to - like in the Joe Sullivan case - be able to operate independently," Taylor said. "Your company is just one of the other plaintiffs in the case - and so are you."
In this video interview with Information Security Media Group at ISMG's London Cybersecurity Summit 2023, Robson, Taylor and Armstrong also discussed:
- The importance of conducting tabletop exercises;
- How security leaders can prepare themselves in the event of a breach;
- How organizations can support their CISOs.
Robson is a solutions-oriented IT security specialist who has directed a broad range of corporate IT initiatives and developed effective security policies.
Taylor has experience in delivering security that meets business objectives. His expertise lies in information security, strategic management and risk management.
Armstrong is an experienced lawyer and an expert on data protection and data security law. He advises multinational companies on risk, compliance and technology.