InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
They’re the quiet ones—the ones that will silently gut your continuity strategy while leadership watches the wrong fire.
1️⃣ Shadow SaaS Is Out of Control Business units are adopting tools without IT oversight—no security, no backups, no DR. It works… until it doesn’t. Then it becomes your problem.
2️⃣ RTOs Are Fiction, Not Strategy “30 hours” looks good—until the CEO demands answers three hours in. If your recovery needs a miracle, it’s not a plan. It’s a pending failure.
3️⃣ Resilience Theater Is Everywhere Policies? Written. Boxes? Checked. But when the real incident hits, no one knows what to do. You’ve got documentation, not readiness.
4️⃣ Hidden Dependencies Will Break You APIs, scripts, microservices—no SLAs, no visibility, no accountability. They fail quietly. Business halts. And no one saw it coming.
5️⃣ Continuity Teams Have Quiet Quit Resilience professionals are exhausted, underfunded, and unheard. Their silence isn’t safety—it’s burnout. And it’s dangerous.
🔶 Resilience doesn’t fail loudly. It erodes quietly. CISOs and leadership teams: It’s time to stop watching the wrong fire.
A new vulnerability affecting WinRAR and ZIP file extraction tools has been identified, which can allow malware to bypass antivirus programs. Attackers exploit this by embedding malicious scripts within specially crafted ZIP or RAR files, which can evade detection and execute upon extraction. The flaw takes advantage of how some extraction tools handle paths and permissions, potentially leading to unauthorized access and execution. Users are advised to update their software and exercise caution with untrusted compressed files to mitigate the risk of such attacks.
What key factors have contributed to increased personal liability risks for CISOs?
The role of the CISO has evolved significantly over the past year. The notable shift toward increased personal liability is largely the result of three factors:
First, organizations are at greater cybersecurity risk than ever. Attackers and their wares are growing more advanced by the day. At the same time, for all their benefits, new technologies, such as AI, often result in increasingly complex digital infrastructures that may hide security vulnerabilities ripe for the picking.
Second, the evolving regulatory landscape. Laws such as the Digital Operations Resiliency Act (DORA) in Europe and various new regulations from the US Securities and Exchange Commission (SEC) legally place personal responsibility for data breaches squarely on the shoulders of the CISO.
Finally, broader public awareness of security lapses. The SEC now requires publicly traded companies to disclose material cybersecurity incidents within four days. This is on top of the Strengthening American Cybersecurity Act that requires entities that own or operate critical infrastructure to report cyber incidents and ransom payments within 24 to 72 hours.
How have high-profile cyber incidents influenced the perception and reality of personal liability for CISOs?
Even if many organizations are now required to disclose cybersecurity incidents in a timely manner—as I just mentioned—that doesn’t mean all of those incidents become common knowledge. In fact, relatively few do. High-profile cybersecurity breaches—the incidents that most affect the general public—are those that drive intensified public scrutiny. As these incidents grab headlines, customers demand change. Unfortunately for the CISO, in these cases, perception is reality, and they often become the sacrificial lamb even if a broader set of executives and board members should share liability.
What proactive steps can CISOs take to mitigate the risk of personal liability?
As the saying goes, “an ounce of prevention is worth a pound of cure.” So, first and foremost, do your core job by strengthening your organization’s cyber resilience. Ensure your team has the resources, skills and guidance to maintain visibility into all of your assets; properly configure perimeter defenses; protect business-critical data and apps with a robust backup and recovery strategy; enforce strong security policies for things like passwords, the principle of least privilege and remote and personal device access; conduct effective employee cybersecurity awareness training; and finally, test and rehearse, test and rehearse, test and rehearse.
It also helps to fight fire with fire. Cybercriminals are using AI to improve their tactics. Implementing AI-powered technology to improve the effectiveness of each of the above cyber resilience steps will help ensure you stay one step ahead of bad actors and avoid the risk of being held personally liable for a successful breach.
Another key is establishing clear lines of communication with other executive leaders and board members. Be completely transparent and avoid the temptation to paper over emerging and potential issues you don’t quite yet understand or have the resources to deal with. It’s much better to be able to say, “I told you so,” than, “should have, could have, would have.”
How effective are directors and officers insurance policies in protecting CISOs from personal liability?
Directors and officers (D&O) liability insurance can offer some protection for the CISO, but its effectiveness in the dynamic realm of cybersecurity is not 100% certain. These policies typically cover legal fees and damages resulting from lawsuits against executives for decisions made in their professional capacities, but regulations that include personal accountability for cybersecurity failures might challenge the scope and limits of traditional D&O coverage. Insurance providers may need to adjust their policies to address the specific risks faced by CISOs. While this will lead to more effective, tailored coverage, it could also potentially lead to higher premiums or so many exclusions that it becomes impractical.
How can organizations better support their CISOs to ensure they are not unfairly held liable for cyber incidents?
Organizations need to develop a culture of welcomed transparency. If the CISO is afraid to bring hard truths to the executive leadership team and board, there’s a problem. On our team, we tend not really even talk about the things that are going well. Instead, we focus almost exclusively on what we need to improve. Red flags aren’t something we avoid, but embrace, so everyone is aware of risks and potential vulnerabilities.
Just as important, even the best security team will fail if not given necessary resources. This includes not just ongoing budgetary support to execute the above cyber resilience strategies, but also the authority to implement critical security measures. If security recommendations are consistently overridden or ignored by other parts of the organization, the CISO’s efforts become futile.
What advice would you give to current and aspiring CISOs in navigating the complexities of personal liability?
The biggest area of improvement needed for most CISOs is communication skills. As I stated, transparency is just as important as anything else in avoiding cybersecurity breaches and the resulting risk of personal liability, and transparency requires effective communication. Not only that, but negotiating for the resources you need to execute the cyber resilience strategies that will protect both your organization and you also requires effective communication. Lastly, effective communication plays a key role in your ability to get organization-wide buy-in to cybersecurity best practices by positioning cybersecurity as a business enabler rather than hindrance.
8 Steps to Better Security: A Simple Cyber Resilience Guide for Business
Harden your business against internal and external cybersecurity threats with a single accessible resource.
In 8 Steps to Better Security: A Simple Cyber Resilience Guide for Business, cybersecurity researcher and writer Kim Crawley delivers a grounded and practical roadmap to cyber resilience in any organization. Offering you the lessons she learned while working for major tech companies like Sophos, AT&T, BlackBerry Cylance, Tripwire, and Venafi, Crawley condenses the essence of business cybersecurity into eight steps.
The standards in the Cyber Resilience Guidance Standards Kit provide expert guidance on cyber security and business continuity. These standards will help you build on the guidance of the standards in the Cyber Resilience Core Standards Kit.
The standards included in this kit are:
PAS 555:2013:- This Publicly Available Specification (PAS) document from BSI details what good cyber security looks like.
ISO/IEC 27031:2011:- ISO/IEC 27031 outlines processes that will help you prevent, detect and manage IT incidents.
ISO/IEC 27032:2012:- Provides guidance on improving the state of cyber security.
Why should I buy this kit?
If you have purchased the standards in the Cyber Resilience Core Standards Kit and want to get more expert guidance on ensuring the continuity of your organization in case of a cyber security incident, the standards in this kit are key.
It’s no longer sufficient to suppose that you can defend against any potential attack; you must accept that an attack will inevitably succeed. An organisation’s resilience in identifying and responding to security breaches will become a critical survival trait in the future. The Cyber Resilience Implementation Suite has been designed to help organisations create an integrated management system that will help defend against cyber threats and minimise the damage of any successful attack. This suite of products will help you to deploy the cyber security Standard ISO27001 and the business continuity Standard ISO22301 to create an integrated cyber resilience management system. The books in this suite will provide you with the knowledge to plan and start your project, identify your organisation’s own requirements and apply these international standards. Management systems can require hundreds of documents and policies. Created by experienced cyber security and business continuity professionals, the toolkits in the Cyber Resilience Implementation Suite provide documentation templates to save you weeks of researching and writing and the supporting guidance to ensure you’re applying the necessary polices for your business. Administration and updating of the documentation is made easy with the toolkits’ integrated dashboard, easy customization of templates and one-click formatting.
AXELOS’s new guide RESILIA™ Cyber Resilience Best Practices provides a methodology for detecting and recovering from cyber security incidents using the ITIL lifecycle
Best guide on Cyber Resilience on the web – Cyber Resilience Best Practices
is part of the AXELOS RESILIA™ portfolio.
RESILIA™ Cyber Resilience Best Practices is aimed at anyone that is responsible for staff or processes that contribute to the cyber resilience of the organization.
The methodology outlined in this manual has been designed to complement existing policies and frameworks, helping create a benchmark for cyber resilience knowledge and skills.
Designed to help organizations better prepare themselves to deal with the increasing range and complexity of cyber threats.
Provides a management approach to assist organizations with their compliance needs, complementing new and existing policies and frameworks.
Developed by experts in hands-on cyber resilience and systems management, working closely with subject and technology experts in cyber security assessment.
Supports the best-practice training and certification that is available to help organizations educate their staff by providing a defined benchmark for cyber resilience knowledge and skills.
Aligned with ITIL®, which is the most widely accepted service management framework. The best practice is equally suitable for organizations to adopt within other systems, such as COBIT® and organization-specific frameworks.
Target market
Managers who are responsible for staff and processes where cyber resilience practices are required – for example those processing payment card information, sensitive commercial data or customer communications.
IT service management teams, IT development and security teams, cyber teams and relevant team leaders that operate the information systems that the organization relies on.
IT designers and architects, those responsible for the design of the information systems and the controls that provide resilience.
The chief information security officer (CISO), the chief security officer (CSO), IT director, head of IT and IT managers.
Buy this guide and gain practical guidance on assessing, deploying and managing cyber resilience within business operations.
Cyber security is not enough – you need to become cyber resilient
The document toolkits – created by experienced cyber security and business continuity professionals – provide you with all the document templates you’ll need to achieve compliance, whilst the supporting guidance will make sure you find the fastest route to completing your project.
Whether you know it or not, your organization is under cyber attack. Sooner or later, a hacker or cyber criminal will get through, so you need to ensure that you have the systems in place to resist such breaches and minimize the damage caused to your organization’s infrastructure, and reputation.
You need to develop a system that is cyber resilient – combining the best practice from the international cyber security and business continuity standards ISO22301 and ISO27001.
This specially-priced bundle of eBooks and documentation toolkits gives you all the tools you need to develop a cyber-resilient system that will both fend off cyber attacks, and minimize the damage of any that get through your cyber defenses.
The books in this suite will provide you with the knowledge to plan and start your project, identify your organization’s own requirements and help you to apply these international standards.
The document toolkits – created by experienced cyber security and business continuity professionals – provide you with all the document templates you’ll need to achieve compliance, whilst the supporting guidance will make sure you find the fastest route to completing your project.