CISO accountability: Should security leaders be held responsible after a data breach?

The question of CISO accountability

The CISO’s job is to secure the organisation against data breaches and cyberattacks. But what happens when a cyber incident causes major disruption? 

In the event of a major data breach, it is often the technology or security executive that falls on their sword.

As one recent example, in September, the UK retailer Marks & Spencer (M&S) announced the departure of its chief digital and technology officer, Rachel Higham, after less than two years in the role - and just months after a prominent cyberattack.

The ransomware attack, attributed to a hacking collective operated by teenagers from the US and the UK known as ‘Scattered Spider’, resulted in empty shelves in M&S food stores, online orders being halted for over six weeks and personal data of customers being stolen. It’s estimated that the cyberattack has, to-date, cost the retailer £300 million ($400 million) in lost sales.

“Having steered the digital and technology team through a challenging six months, Rachel Higham has decided to take a break and is stepping back from her role,” M&S said in a statement.

The timing of the departure resulted in some speculation around whether the M&S CTO was deemed accountable for cybersecurity failures exploited as part of the network breach. 

And yet, Higham is by no means the first technology or security executive to leave following a major cyberattack against a company and is unlikely to be the last too.

In 2017, Uber revealed data on 57 million drivers had been stolen, while attackers also reportedly accessed company code. The Uber CISO was fired following the incident. Meanwhile, in the aftermath of a data breach which saw attackers access personal information of 143 million  Equifax customers, the company’s CISO and CSO were both forced out of their roles.

CISOs and the post-data breach response

Of course, not every CTO, CIO or CISO should - or will - depart after there’s been a cyberattack or data breach. If they did, the turnover in those roles would be impossible to deal with, and there’s an argument too that the volatility of the position could have a negative impact on future security leaders coming through.

But at what point should the individual in that role be held accountable? Will CISOs’ position always be under review as part of an organisation’s data breach response - or should there be a broader boardroom ownership of the risk?

“Let’s be really clear; every organisation is penetrable,” says Rebecca Fox, founder and CIO of Relentica, an IT consultancy, and previously Group CIO of NCC Group.

“If the CISO has done their very best, that’s all you can ask for. If they’re doing their best, implementing the controls and getting all the budget they can, what more can they do?”

To this point, an organisation can have all the required technical controls, all the necessary training and processes in place and can still get breached. After all, persistent cybercriminals may only need to find one weakness; one phishing email, one set of compromised login credentials or socially engineering a single IT administrator to get into the corporate network. With the advent of AI, criminals are also turning to deepfakes and other forms of synthetic data as another way of gaining trust - and undetected access.

If a cyberattack is discovered, it is the CISO who is ultimately responsible for remediation and incident response, ensuring they are supporting staff effectively, providing updates about the incident to the board and implementing the necessary controls. Transparency with the wider market is critical and often lauded too - just look at the ransomware attack in 2023 on the British Library, which would go on to publish an 18-page incident review which detailed the lessons learned.

“Once a breach is found, the CISO is responsible for minimising the damage caused by the cyberattack and should act as the point of contact for the C-suite and the communications team, keeping them updated and informed of progress,” says Mihoko Matsubara, chief cybersecurity strategist at NTT.

“The CISO must take care of his or her cybersecurity team mentally and physically too, ensuring, as much as possible, that there is a comfortable working environment provided and that they are supported to stay focused on their cybersecurity tasks,” she adds.

Despite this, given high-profile cases at Uber and Solarwinds where CISOs have stood on trial, there is a question of how much of the liability should fall onto the shoulders of CISOs, some of whom have taken out their own public liability insurance.

“CISO accountability is evolving, and I think it’s both inevitable and healthy that the role begins to resemble that of a CFO or General Counsel — with a degree of clearly defined, legally recognised responsibility. The critical point is how this accountability is structured,” says Ross McKerchar, CISO at Sophos.

“If designed as a framework to support rather than simply punish after a breach, it can empower CISOs with stronger levers to influence investment, shape risk appetite and ultimately reduce the likelihood of incidents. Done right, it provides not just liability, but legitimacy and authority,” he adds.

Other experts, though, are calling for greater boardroom understanding of the risk should the worst happen, as well as renewed vigour around cybersecurity governance. 

The UK’s National Cyber Security Centre (NCSC) recently issued a report, in which it encouraged CEOs to take on greater accountability and strengthen cyber resilience – or risk “jeopardising their business’s future.”

“For too long, cyber security has been regarded as an issue predominantly for technical staff. This must change. All business leaders need to take responsibility for their organisation’s cyber resilience,” said chief executive Richard Horne.

The (lack of) CISO recognition

When things are going well, the CISO role arguably goes somewhat under the radar, failing to get the appropriate recognition of business peers or even IT counterparts.

It’s unlikely the CISO will receive praise for the company being free of incidents, but after a cyberattack occurs, that’s when the pressure is on. Calling for a CISO to fall on their sword because one incident would further decrease the pool of cybersecurity leaders who’d take the job, not least at a time where the average tenure of a CISO is estimated to be less than 18 months.

“...Leaders should be given the appropriate mandate, authority, and resources; otherwise, we will have fewer people wanting to take a CISO position,” says Matsubara.

Ultimately, in the event of a major incident, executives, shareholders and customers will want an explanation as to what happened – especially if the organisation’s board of directors deem they have provided the CISO with all of the necessary resources to detect, prevent and respond to a cyberattack. In this scenario, they may very well want someone to be held accountable.

“You need to make sure you’ve got all the basics right and you're communicating to the right places in the business to get that... but there comes a point when it is your responsibility,” admits Fox. “If you’ve been there awhile to make sure things are in place, then you are responsible and accountable”.

The work of a CISO is a difficult, complex role – especially in a large organisation with so many layers of different technology and processes in place – but when an incident occurs, several interested parties will want answers and somebody to apply the responsibility to.

If a CISO is put under that much pressure, especially in an organisation which hasn’t provided them with the necessary support – then maybe they should seek pastures new.

“Sometimes, maybe you have to go for your own good, not just as a scapegoat for the organisation,” says Fox.

In today’s enterprise, cybersecurity leadership demands clarity and accountability. The CISO must be provided with the necessary resources to do the role properly, but they need to ensure that those resources are used effectively to stay ahead of the criminals and regulators.  Because in the world of fast-moving business, resourceful criminals and breaches resulting in heavy financial losses, shareholders will want accountability in the event of a cyberattack - or heads to roll.