Rising Liability Risks Are Reshaping the CISO Role and Cybersecurity Leadership
Authored by Maryam Shoraka
Published on March 13, 2026
In today’s rapidly evolving digital landscape, the role of the Chief Information Security Officer (CISO) is undergoing profound transformation. The days when CISOs were merely technical experts appear to be slipping away, replaced by executives facing increasing legal exposure. Today, their responsibilities extend beyond mere network defense to encompass the risk of personal indictment, given the growing scrutiny stemming from cybersecurity incidents.
Historically, cybersecurity was about maintaining the integrity and resilience of systems. In recent years, however, it has become entangled with the details of directors and officers (D&O) insurance policies, as well as the precise wording utilized in board meeting minutes. This shift underscores a critical evolution in the security landscape, especially following high-profile legal actions against corporate security leaders from firms such as SolarWinds and Uber. The grim realization of “the Fall Guy era” has begun to overshadow the industry, marking a troubling turn for cybersecurity leadership.
The Quest for a Place at the Table
For many years, cybersecurity professionals lobbied for recognition as integral members of the business landscape. They sought acknowledgment that cybersecurity should be regarded as a business risk rather than relegated to a mere IT concern. This advocacy eventually bore fruit, granting practitioners a seat at the executive table; however, this newfound authority came bundled with daunting responsibilities and a heavy liability burden.
Regulatory bodies like the U.S. Securities and Exchange Commission (SEC) and the Australian Securities and Investments Commission (ASIC) have increasingly targeted individual executives in cases of compliance failures, highlighting a shift in focus from the board as a whole to the specific individuals who signed attestations—often the CISOs. This alteration has drastically redefined the role, transforming executive cybersecurity leaders from defenders of their organizations to the potential scapegoats for systemic failures.
The very public cases of Joe Sullivan from Uber and Timothy Brown from SolarWinds illustrate this transformation vividly. These incidents were not merely thought of as technical failures; they were framed as failures of accountability and transparency. The legal precedents set in these cases make it evident: if an organization faces scrutiny, the CISO may be the first called to account for the failure.
Emergence of Defensive Security Leadership
The CISO’s job now resembles defensive practices seen in the medical field, where physicians often opt for unnecessary tests or procedures to shield themselves from potential malpractice suits. Similarly, a culture of “defensive security leadership” is emerging in cybersecurity. Understanding that personal assets and legal freedom could be jeopardized fundamentally alters the manner in which CISOs approach information reporting.
With the potential for legal ramifications looming, transparency—the erstwhile hallmark of a robust security culture—has begun to wane. Rather than communicating that significant vulnerabilities in legacy systems exist, which may take years to remediate, leaders may be inclined to frame updates in less alarming language, in essence crafting narratives that serve as shields from potential legal action. In reality, this risks diverting attention from pressing security challenges, fostering an environment of obfuscation where the fear of legal accountability outweighs genuine concern for cybersecurity resilience.
Deterioration of Security Culture
A vibrant security culture thrives on open dialogue about near-misses and failures without the threat of legal repercussions. However, as personal liability increasingly permeates the role of the CISO, this vital openness is eroded. Junior team members absorb a dangerous lesson from seeing their leaders face litigation: to refrain from documenting risks that could later be weaponized in court.
This scenario is particularly pronounced in Australia, where laws like the Security of Critical Infrastructure Act are sharpening corporate accountability. Here, the pressure for transparency and collaboration persists, even as the context becomes increasingly hostile. Ultimately, such conditions foster burnout and contribute to a talent exodus within cybersecurity ranks.
As the focus shifts from candid risk assessments to mitigating legal risks, the ability of CISOs to protect their organizations diminishes. They may find themselves spending more time consulting with legal counsel than collaborating with technical teams, a misalignment that benefits adversaries who do not face the same rules.
The Need for a New Social Contract
To prevent a significant attrition of talent in the CISO role, a new social contract between cybersecurity leaders and their organizations is essential. This contract ought to be built upon three foundational pillars extending beyond conventional employment agreements.
First and foremost, personal indemnification must become a non-negotiable aspect of the role. Companies asking CISOs to shoulder the organization’s digital survival must ensure substantive support, which includes robust indemnification provisions. Increasingly, CISOs are demanding independent legal advice during contract discussions, separate from the company’s general legal counsel, to safeguard their interests.
Second, redefining success in cybersecurity is crucial. With the reality that breaches may be inevitable, success should not merely be defined by the absence of incidents but rather by demonstrating due diligence and effectiveness in response. Moving toward a “safe harbor model” would protect leaders from personal litigation if they diligently follow established frameworks and communicate transparently about risks.
Lastly, CISOs should be granted direct access to the board without intermediary filtering from roles such as the CIO or CFO. Such direct communication allows for accurate risk reporting, eliminating distortions that arise when messages are reinterpreted through various operational lenses.
Confronting the Recruitment Crisis
The repercussions of evolving liability metrics are already evident in the recruitment landscape. Experienced professionals are reassessing CISO positions, questioning whether the potential personal liabilities associated with these roles are justified. Many view the opportunity as too risky, especially when facing legacy issues that might predate their tenures.
If the industry fails to address these liability concerns, a problematic trend may emerge, producing CISOs who lack adequate experience to grasp the complexities involved or those who merely view the position as a stopgap for financial gain, remaining only long enough to collect a bonus before departing ahead of any potentially damaging event.
The Hard Truth Ahead
The cybersecurity profession stands at a critical crossroad. Moving forward with the current trend of scapegoating CISOs yields a landscape where blame is readily assigned to a single individual while obfuscating the collective responsibility that organizations share.
It is evident that personal liability has not made organizations safer; rather, it has fostered a more litigious environment that stifles open discourse and leads to a culture of “paper security.” The misallocation of funding away from genuine security initiatives towards legal expenses and insurance premiums ultimately undermines the effectiveness of cybersecurity efforts.
In conclusion, the time has come to dismantle the “Fall Guy” mentality. Organizations must focus on creating governance structures that genuinely support frontline security personnel. Without proactive measures, the industry risks losing capable leaders who willingly shoulder the burden of safeguarding digital assets, leaving corporations vulnerable in an already precarious landscape.