Lunsford also sees a more immediate problem associated with the CISO disconnect between responsibilities and authority.
“The personal liability stakes are forcing CISOs to be more deliberate and measured with their decision-making. We have heard from many CISOs that they are more intentionally documenting decision-making of their own and that of senior leadership when it comes to making risk-based decisions,” Lunsford said. “On the surface, that may sound completely positive, but it has an impact of slowing decision-making and adding administrative burden when carried out manually without technology that automatically records their work and decision-making.”
Negotiating protections
Ultimately, whether CEOs provide CISOs with protections may be a factor of talent market dynamics. In the meantime, veteran security leader Jim Routh, who has held CISO-level roles at Mass Mutual, CVS, Aetna, KPMG, American Express, and JP Morgan Chase, counsels CISOs and prospective CISOs to push for key contractual protections.