Should the CISO be held personally responsible for a breach?

Should the CISO be held personally responsible for a breach?

Yes. But there are a ton of caveats that go along with it.   It is like asking: Should the CEO be held personally responsible for the company being sued?   While all security should have the buck stopping with the CISO, the question is what should be done to the CISO in the event of a breach.   Some key questions to ask – is the CISO empowered with staff and a budget?  If not, expect a manifestation of what Gene Spafford, professor of computer science Purdue University, has coined Spaf’s Law, which holds that “if your position in an organization includes responsibility for security, but does not include corresponding authority, then your role in the organization is to take the blame when something happens.”   It is very easy to blame the CISO. Any when it is done just for blame, they are in fact the CSO: Chief Scapegoat Officer.

110 views
1 comments
1 upvotes
Related Tags
Anonymous Author
Yes. But there are a ton of caveats that go along with it.   It is like asking: Should the CEO be held personally responsible for the company being sued?   While all security should have the buck stopping with the CISO, the question is what should be done to the CISO in the event of a breach.   Some key questions to ask – is the CISO empowered with staff and a budget?  If not, expect a manifestation of what Gene Spafford, professor of computer science Purdue University, has coined Spaf’s Law, which holds that “if your position in an organization includes responsibility for security, but does not include corresponding authority, then your role in the organization is to take the blame when something happens.”   It is very easy to blame the CISO. Any when it is done just for blame, they are in fact the CSO: Chief Scapegoat Officer.
1 upvotes