A recent Fastly report fund that 93% of organizations made policy changes over the preceding 12 months to address concerns about personal liability for Chief Information Security Officers (CISOs). This includes two in five organizations (41%) increasing CISO participation in strategic decisions at the board level.

In late 2023, newly adopted regulations such as the SEC rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies as well as other headlines have put an increased focus on corporate accountability for data breaches, raising an increased concern of CISO liability. To reduce this risk, 38% of respondents have promised “increased scrutiny of security disclosure documentation from supervisory agencies” while 38% have improved legal support for cybersecurity staff, including liability insurance, and corporations have allocated more resources to security in the past year.

Research also found that nearly half (46%) of organizations are unclear about who holds ultimate responsibility for cybersecurity incidents while 36% have clearly delineated roles and responsibilities within their teams. The research points to a significant gap in how organizations internalize responsibility and translate regulatory guidance into meaningful improvements to security postures. This responsibility doesn’t just fall on one person, it requires clear communication at every level of the organization to understand how and why cybersecurity risks should be mitigated and how efforts should be aligned to reduce exposure.

Download the report.