For years, the CISO role carried immense responsibility but little personal liability
When Chuck Norton took on the role of chief information security officer (CISO) at a major state university, he had been on the job for only a few months when a jury convicted another CISO—of ride-hailing app Uber—of covering up a data breach. The landmark ruling served as a stark wake-up call, forcing Norton and others in his field to confront a new reality of professional and personal risk.
“I was stuck at the confluence of being accountable for everything and having authority over nothing,” said Norton, who has since left the role and now works as a senior advisor at a risk management firm. “On the other hand, it very much felt like the sword of Damocles was hanging over my head, just waiting to drop.”
Norton is not alone. As the responsibilities of CISOs expand to include everything from compliance to artificial intelligence strategy, the legal and personal risks they face are growing as well.
New Era of Personal Liability
For years, the CISO role carried immense responsibility but little personal liability. That changed with the 2023 conviction of former Uber CISO Joseph Sullivan, which is currently under appeal, and the Securities and Exchange Commission (SEC) charging SolarWinds and its CISO with “fraud and internal control failures.” These high-profile cases have forced many companies to re-evaluate their legal protections for cybersecurity leadership.
However, the response from most organisations has been to focus on liability, not on security. According to survey data from Fastly, a cloud-services provider, 93 per cent of companies have made policy changes in the past year to address CISOs’ concerns. These changes, however, often amount to scrutinising SEC documents and promising legal protections for staff rather than making meaningful investments in improving a company’s security posture.
“That’s not actually improving a company’s security posture in a meaningful way,” said Marshall Erwin, CISO at Fastly. “The idea of accountability is that we want to incentivize stronger security, and just because security leaders aren’t necessarily going to face as much immediate liability doesn’t mean that they are more properly incentivised to strengthen their company’s security program.”
Rising Threat To Executive’s Private Life
The threat to a CISO is no longer purely professional. Last year, a hacker claimed to have data on 31 million customers of an Indian insurance firm and alleged the company’s CISO sold him the data—an accusation later cleared, but one that marked a new front in the war against cybersecurity executives.
This is a battle that increasingly extends into their personal lives. Caleb Sima, a former chief security officer at trading platform Robinhood, said that today’s attackers are using social media for detailed open-source intelligence—travel patterns, family details, and business relationships—to fuel phishing and deepfake attacks.
“I’ve seen cases where attackers timed phishing campaigns around executive travel posts,” Sima said, adding that C-suite executives should assess all factors that might affect their safety.
For Chuck Norton, the focus has shifted entirely. If he were to take another CISO position in the future, he says he would be looking for a specific culture where security is genuinely valued. “The culture component is so much more important than the technical controls because where there’s a will, there’s a way,” he said. The ultimate solution, experts argue, lies not in legal contracts but in a fundamental commitment from leadership to invest in a resilient security program.
