Aug 01 2024

Why CISOs face greater personal liability

Category: CISO,vCISOdisc7 @ 10:58 am
What key factors have contributed to increased personal liability risks for CISOs?

The role of the CISO has evolved significantly over the past year. The notable shift toward increased personal liability is largely the result of three factors:

First, organizations are at greater cybersecurity risk than ever. Attackers and their wares are growing more advanced by the day. At the same time, for all their benefits, new technologies, such as AI, often result in increasingly complex digital infrastructures that may hide security vulnerabilities ripe for the picking.

Second, the evolving regulatory landscape. Laws such as the Digital Operations Resiliency Act (DORA) in Europe and various new regulations from the US Securities and Exchange Commission (SEC) legally place personal responsibility for data breaches squarely on the shoulders of the CISO.

Finally, broader public awareness of security lapses. The SEC now requires publicly traded companies to disclose material cybersecurity incidents within four days. This is on top of the Strengthening American Cybersecurity Act that requires entities that own or operate critical infrastructure to report cyber incidents and ransom payments within 24 to 72 hours.

How have high-profile cyber incidents influenced the perception and reality of personal liability for CISOs?

Even if many organizations are now required to disclose cybersecurity incidents in a timely manner—as I just mentioned—that doesn’t mean all of those incidents become common knowledge. In fact, relatively few do. High-profile cybersecurity breaches—the incidents that most affect the general public—are those that drive intensified public scrutiny. As these incidents grab headlines, customers demand change. Unfortunately for the CISO, in these cases, perception is reality, and they often become the sacrificial lamb even if a broader set of executives and board members should share liability.

What proactive steps can CISOs take to mitigate the risk of personal liability?

As the saying goes, “an ounce of prevention is worth a pound of cure.” So, first and foremost, do your core job by strengthening your organization’s cyber resilience. Ensure your team has the resources, skills and guidance to maintain visibility into all of your assets; properly configure perimeter defenses; protect business-critical data and apps with a robust backup and recovery strategy; enforce strong security policies for things like passwords, the principle of least privilege and remote and personal device access; conduct effective employee cybersecurity awareness training; and finally, test and rehearse, test and rehearse, test and rehearse.

It also helps to fight fire with fire. Cybercriminals are using AI to improve their tactics. Implementing AI-powered technology to improve the effectiveness of each of the above cyber resilience steps will help ensure you stay one step ahead of bad actors and avoid the risk of being held personally liable for a successful breach.

Another key is establishing clear lines of communication with other executive leaders and board members. Be completely transparent and avoid the temptation to paper over emerging and potential issues you don’t quite yet understand or have the resources to deal with. It’s much better to be able to say, “I told you so,” than, “should have, could have, would have.”

How effective are directors and officers insurance policies in protecting CISOs from personal liability?

Directors and officers (D&O) liability insurance can offer some protection for the CISO, but its effectiveness in the dynamic realm of cybersecurity is not 100% certain. These policies typically cover legal fees and damages resulting from lawsuits against executives for decisions made in their professional capacities, but regulations that include personal accountability for cybersecurity failures might challenge the scope and limits of traditional D&O coverage.
Insurance providers may need to adjust their policies to address the specific risks faced by CISOs. While this will lead to more effective, tailored coverage, it could also potentially lead to higher premiums or so many exclusions that it becomes impractical.

How can organizations better support their CISOs to ensure they are not unfairly held liable for cyber incidents?

Organizations need to develop a culture of welcomed transparency. If the CISO is afraid to bring hard truths to the executive leadership team and board, there’s a problem. On our team, we tend not really even talk about the things that are going well. Instead, we focus almost exclusively on what we need to improve. Red flags aren’t something we avoid, but embrace, so everyone is aware of risks and potential vulnerabilities.

Just as important, even the best security team will fail if not given necessary resources. This includes not just ongoing budgetary support to execute the above cyber resilience strategies, but also the authority to implement critical security measures. If security recommendations are consistently overridden or ignored by other parts of the organization, the CISO’s efforts become futile.

What advice would you give to current and aspiring CISOs in navigating the complexities of personal liability?

The biggest area of improvement needed for most CISOs is communication skills. As I stated, transparency is just as important as anything else in avoiding cybersecurity breaches and the resulting risk of personal liability, and transparency requires effective communication. Not only that, but negotiating for the resources you need to execute the cyber resilience strategies that will protect both your organization and you also requires effective communication. Lastly, effective communication plays a key role in your ability to get organization-wide buy-in to cybersecurity best practices by positioning cybersecurity as a business enabler rather than hindrance.

Role of the CISO titles

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Cyber Resilience, cybersecurity


Feb 02 2022

10 Steps to Cyber Security

Category: Cyber resilience,cyber securityDISC @ 4:34 pm

8 Steps to Better Security: A Simple Cyber Resilience Guide for Business

Harden your business against internal and external cybersecurity threats with a single accessible resource. 

In 8 Steps to Better Security: A Simple Cyber Resilience Guide for Business, cybersecurity researcher and writer Kim Crawley delivers a grounded and practical roadmap to cyber resilience in any organization. Offering you the lessons she learned while working for major tech companies like Sophos, AT&T, BlackBerry Cylance, Tripwire, and Venafi, Crawley condenses the essence of business cybersecurity into eight steps.  

Tags: Cyber Resilience, Steps to Cyber Security


Aug 08 2017

Cyber Resilience Guidance Standards Kit

Category: BCP,cyber security,DRPDISC @ 4:22 pm

The standards in the Cyber Resilience Guidance Standards Kit provide expert guidance on cyber security and business continuity. These standards will help you build on the guidance of the standards in the Cyber Resilience Core Standards Kit.

The standards included in this kit are:

  • PAS 555:2013:- This Publicly Available Specification (PAS) document from BSI details what good cyber security looks like.
  • ISO/IEC 27031:2011:- ISO/IEC 27031 outlines processes that will help you prevent, detect and manage IT incidents.
  • ISO/IEC 27032:2012:- Provides guidance on improving the state of cyber security.

 

Why should I buy this kit?

If you have purchased the standards in the Cyber Resilience Core Standards Kit and want to get more expert guidance on ensuring the continuity of your organization in case of a cyber security incident, the standards in this kit are key.

Cyber Security Standards & Books






Tags: Cyber Resilience


Nov 04 2016

Cyber security is not enough

Category: cyber securityDISC @ 1:11 pm

CyberresilienceSuite

Cyber security is not enough – you need to become cyber resilient

 

Cyber Resilience Implementation Suite

It’s no longer sufficient to suppose that you can defend against any potential attack; you must accept that an attack will inevitably succeed. An organisation’s resilience in identifying and responding to security breaches will become a critical survival trait in the future. The Cyber Resilience Implementation Suite has been designed to help organisations create an integrated management system that will help defend against cyber threats and minimise the damage of any successful attack. This suite of products will help you to deploy the cyber security Standard
ISO27001 and the business continuity Standard
ISO22301 to create an integrated cyber resilience management system. The books in this suite will provide you with the knowledge to plan and start your project, identify your organisation’s own requirements and apply these international standards. Management systems can require hundreds of documents and policies. Created by experienced cyber security and business continuity professionals, the toolkits in the Cyber Resilience Implementation Suite provide documentation templates to save you weeks of researching and writing and the supporting guidance to ensure you’re applying the necessary polices for your business. Administration and updating of the documentation is made easy with the toolkits’ integrated dashboard, easy customization of templates and one-click formatting.

Cyber Resilience Implementation Suite

 


Contents

This suite includes:

Start building cyber resilience into your organisation today.





Tags: Cyber Resilience, ISO 22301, iso 27001, iso 27002


Jun 19 2015

Cyber Resilience Best Practices

Category: Cyber Insurance,cyber security,CybercrimeDISC @ 11:07 am

Cyber Resilience

Cyber Resilience

RESILIA™ Cyber Resilience Best Practices

AXELOS’s new guide RESILIA™ Cyber Resilience Best Practices provides a methodology for detecting and recovering from cyber security incidents using the ITIL lifecycle

RESILIA™ Cyber Resilience Best Practices

Best guide on Cyber Resilience on the web – Cyber Resilience Best Practices
is part of the AXELOS RESILIA™ portfolio.

RESILIA™ Cyber Resilience Best Practices is aimed at anyone that is responsible for staff or processes that contribute to the cyber resilience of the organization.

The methodology outlined in this manual has been designed to complement existing policies and frameworks, helping create a benchmark for cyber resilience knowledge and skills.

  • Designed to help organizations better prepare themselves to deal with the increasing range and complexity of cyber threats.
  • Provides a management approach to assist organizations with their compliance needs, complementing new and existing policies and frameworks.
  • Developed by experts in hands-on cyber resilience and systems management, working closely with subject and technology experts in cyber security assessment.
  • Supports the best-practice training and certification that is available to help organizations educate their staff by providing a defined benchmark for cyber resilience knowledge and skills.
  • Aligned with ITIL®, which is the most widely accepted service management framework. The best practice is equally suitable for organizations to adopt within other systems, such as COBIT® and organization-specific frameworks.

 

Target market

 

  • Managers who are responsible for staff and processes where cyber resilience practices are required – for example those processing payment card information, sensitive commercial data or customer communications.
  • IT service management teams, IT development and security teams, cyber teams and relevant team leaders that operate the information systems that the organization relies on.
  • IT designers and architects, those responsible for the design of the information systems and the controls that provide resilience.
  • The chief information security officer (CISO), the chief security officer (CSO), IT director, head of IT and IT managers.

 

Buy this guide and gain practical guidance on assessing, deploying and managing cyber resilience within business operations.
RESILIA™ Cyber Resilience Best Practices





Tags: Chief Information Security Officer, CISO, Computer security, CSO, cyber crime, Cyber Defence, Cyber Insurance, Cyber protection, Cyber Resilience, cyber security, Cyber Security countermeasures, Cyber Security Safeguards, cyber threats, data security, Information Security, Information Technology Infrastructure Library, ISO, iso 27001, iso 27002


May 15 2014

Cyber Resilience Implementation Suite

Category: BCP,Information Security,ISO 27kDISC @ 11:15 am

CyberResilience

Cyber security is not enough – you need to become cyber resilient

 

The document toolkits – created by experienced cyber security and business continuity professionals – provide you with all the document templates you’ll need to achieve compliance, whilst the supporting guidance will make sure you find the fastest route to completing your project.

Whether you know it or not, your organization is under cyber attack. Sooner or later, a hacker or cyber criminal will get through, so you need to ensure that you have the systems in place to resist such breaches and minimize the damage caused to your organization’s infrastructure, and reputation.

You need to develop a system that is cyber resilient – combining the best practice from the international cyber security and business continuity standards ISO22301 and ISO27001.

This specially-priced bundle of eBooks and documentation toolkits gives you all the tools you need to develop a cyber-resilient system that will both fend off cyber attacks, and minimize the damage of any that get through your cyber defenses.

The books in this suite will provide you with the knowledge to plan and start your project, identify your organization’s own requirements and help you to apply these international standards.

The document toolkits – created by experienced cyber security and business continuity professionals – provide you with all the document templates you’ll need to achieve compliance, whilst the supporting guidance will make sure you find the fastest route to completing your project.

Download your copy today

This suite includes:




Tags: business continuity, Computer security, Cyber Resilience, cyberwarfare, ISO/IEC 27001