GDS Group Security Insight Summit in Naples, FL | September 2024

When I consult with companies on their security frameworks, I always ask a key question: What keeps your security team awake at night? For CISOs and security leaders, the concerns go far beyond handling incidents or managing risks. Many of them fear personal liability if an incident occurs and wonder how they’ll handle being held responsible.

Today, I had the opportunity to share my personal experience on a panel titled Navigating Headline Fears and Liability with Confidence at the Security Insight Summit by GDS Group. During the Q&A session in a room full of security professionals, I reflected on the consequences of the Uber breach and shared key insights from how it was handled.

I’m encouraged to see a shift in government focus away from solely holding security leaders accountable and toward the broader company leadership, including the CEO, recognizing their role and responsibility in the company’s security framework. Earlier this summer, I published an article, The CEO Is Next, which dives into this topic in detail. The response was overwhelming, with many CISOs expressing similar concerns about personal liability and advocating for key leadership to share accountability for security decisions and the structure built before any breach occurs.

While we haven’t yet reached the point where a government agency publicly holds a corporate CEO personally liable for a failure to invest sufficiently in cybersecurity, I believe that day is approaching. I am grateful for the opportunity to share my experience with other security professionals and continue advocating for this necessary shift in responsibility.