Home » Security Leadership » Exec. Communication

In Depth

Data Breach Fallout: Do CISOs Need Legal Protection?

Since the security executive is on the hot seat after a data breach, some industry experts suggest CISOs get themselves some form of liability protection. The downside is that such protection could shield those who deserve the blame for an incident

By Bill Brenner, Senior Editor

July 30, 2008 —

In the wake of a data breach, the company's top brass may go looking for someone to blame. If you are the security chief, chances are it's going to be you.

It doesn't matter that you warned executives repeatedly that certain technological or cultural flaws were putting the company at risk, or that you had to maintain security with a shoestring budget and little or no staff. Chances are you'll take the fall whether you deserve it or not, says George Moraetes, a Chicago-based security contractor and executive board advisor for security event management firm IdentityLogix.

He has watched as some of his CSO acquaintances were blamed for a security failure or dismissed for trying to blow the whistle over the company's security holes.

"One friend of mine, the CISO of a credit bureau, blew the whistle on a security auditor who wasn't following best practices and was making reporting discrepancies," says Moraetes, an independent consultant. "The auditor was a friend of the top brass, and the CISO was let go. I know of three others in Georgia who were fired or demoted for similar reasons."

For that reason, he believes security professionals would be wise to cover themselves with some form of legal protection, whether it's liability insurance or language in their contract that clearly places full responsibility for security decisions with the CEO.

But is liability protection appropriate for everyone? Some industry experts aren't so sure.

One big downside to the concept of liability protection is that it could end up shielding those who deserve to be on the hot seat. Rick Lawhorn, CISO for PLANIT Technology Group LLC - a technology service company whose clients range from commercial enterprises to state and local government clients - says that some arrangements simply make it easier for IT personnel to save face following an incident or keep the wraps on the real state of insecurity in their organization.

Security issues are kept in the IT family for fear that radical changes will be requested, further taxing resources in most IT shops, he notes.

"In the rare chance that a security breach occurs or is detected, ignorance, finger pointing and scapegoats emerge to divert the attention away from the security shortcomings, allowing IT to continue the facade in hopes of covering up the real problems and concerns," Lawhorn says.

For those who are concerned about being protected from unfair blame, Moraetes and Lawhorn have some advice:

Moraetes recommends security professionals get some form of protection in writing before taking a CSO job. For instance, a written contract can say that the ultimate responsibility is with the executive who ultimately signs off on the security procedures the CSO has proposed.