Fastly Research: 93% of Organizations Actively Reducing CISO Liability Risk

In the wake of high-profile data breaches and increasing regulatory scrutiny, organizations are taking proactive measures to mitigate cybersecurity risks and reduce the liability of their chief information security officers (CISOs). According to a recent study by fastly, a leading edge cloud computing platform, 93% of organizations are actively working to reduce CISO liability risk. This article explores the key challenges CISOs face and the strategies organizations are implementing to address these concerns.



Key Challenges Facing CISOs

CISOs face a complex landscape of regulatory pressures, increasing attack sophistication, and evolving operational models. These factors contribute to the growing liability concerns for CISOs, as seen in the case of Joe Sullivan, the former uber CSO who was found guilty of charges related to a data breach cover-up (RSA Conference, 2023).

1. Regulatory Pressures: The increasing number of regulations, such as the EU's Network and Information Security 2 Directive (NIS2), the Cyber Resilience Act, and the US' Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), require organizations to implement robust security measures and promptly report breaches. This increased scrutiny places CISOs at the forefront of compliance efforts, making them more accountable for any shortcomings in their organization's cybersecurity posture (Baker McKenzie, 2025).
2. Increasing Attack Sophistication: The sophistication of cyberattacks is growing, with advancements in technology such as generative AI being exploited by threat actors. This increasing complexity makes it more challenging for CISOs to protect their organizations, potentially leading to liability concerns if they fail to adapt their security strategies (Baker McKenzie, 2025).
3. Evolving Operational Models: The post-pandemic rise in remote work and the growing use of cloud services have significantly broadened organizations' threat surfaces. CISOs must adapt their security strategies to address these new risks, which may involve managing third-party vendors and ensuring the security of remote work environments (Baker McKenzie, 2025).

Strategies to Reduce CISO Liability Risk

Organizations are implementing several measures to reduce CISO liability risk, as highlighted in the provided information. Here are some specific strategies and their effectiveness in practice:

1. Define your lane: CISOs should focus on their core responsibilities, such as remediating security incidents and responding to threats, rather than engaging in aggressive lawyering or making business decisions. This approach helps CISOs avoid potential liability issues by staying within their area of expertise and not overstepping boundaries.
- *Effectiveness*: This strategy is effective in preventing CISOs from taking on unnecessary risks and maintaining a clear focus on their primary responsibilities. However, it is essential to ensure that CISOs have a strong understanding of the business context and can effectively communicate with other departments to make informed decisions.
2. Treat secrets as red flags: CISOs should be cautious when considering how to keep sensitive information secret, as this can be a red flag for potential misconduct or illegal activities. Instead, they should focus on transparency and open communication, which are crucial for maintaining trust and avoiding liability issues.
- *Effectiveness*: This strategy helps CISOs identify potential risks and avoid engaging in unethical or illegal activities. By treating secrets as red flags, CISOs can foster a culture of transparency and accountability within their organizations.
3. Hold crisis communication tabletop drills: Regularly practicing crisis communication scenarios helps CISOs and their teams prepare for potential incidents and ensures that everyone knows their roles and responsibilities. This strategy enables organizations to respond effectively to crises, minimizing the risk of liability issues.
- *Effectiveness*: Crisis communication tabletop drills are an effective way to prepare for potential incidents and ensure that everyone is on the same page. By practicing these scenarios, organizations can minimize the risk of liability issues and maintain a strong reputation.

These strategies are effective in reducing CISO liability risk when implemented consistently and with a strong commitment to ethical decision-making. However, it is essential to remember that no strategy can eliminate all risks, and CISOs must remain vigilant in their efforts to protect their organizations and themselves from potential liability issues.

In conclusion, the Fastly research highlights the growing awareness and proactive measures organizations are taking to reduce CISO liability risk. By addressing the key challenges CISOs face and implementing effective strategies, organizations can better protect their CISOs and enhance their overall cybersecurity posture. As the cybersecurity landscape continues to evolve, it is crucial for organizations to stay informed and adapt their strategies to mitigate risks and ensure the success of their CISOs.