One thing that’s become clear over the last year is that pressure on CISOs is rising. Beyond the normal, everyday stresses of the role, CISOs now have to contend with the possibility of facing criminal charges for mishandling a cyber incident or misrepresenting their organization’s cybersecurity posture. The prospect of being indicted over a cyberattack will have a variety of downstream effects in 2024. It will impact the hiring market for CISOs, affect their compensation, and change the culture around cyber whistleblowing.
CISOs Will Flock to High-Integrity Organizations
Between the sentencing of former Uber CSO, Joe Sullivan, and the charges leveled against SolarWinds CISO, Timothy G. Brown, 2023 set a new precedent for culpability in major cyber incidents. The SEC and US Federal prosecutors have demonstrated not only a willingness to hold CISOs directly accountable, they have also shown that the CISO is the first and easiest target.
The message to CISOs at publicly traded companies is clear: figure out who you’re working for, quickly, or put your career at risk. In 2024, we’ll see more CISOs making a concerted effort to avoid organizations with questionable integrity or dubious cybersecurity practices. Gone are the days when a CISO might be tempted to join a high-flying company with a flashy CEO for the perceived career-building opportunity.
Instead, CISOs will put added scrutiny on cybersecurity budgets, staffing, existing controls, and governance at organizations where they’re interviewing for jobs to ensure they’re set up for success and not failure. They’ll also look to join leadership teams composed of individuals who share similar values, hold themselves to a strong code of conduct, and who will support them rather than scapegoat them in times of crisis. CISOs won’t put up with leaders who pressure them to downplay or under report cyber risk.
On the other side of the coin, organizations with even a whiff of controversy or that have a history of high CISO turnover will find it increasingly difficult to fill empty CISO chairs as savvy security executives spurn them in favor of employers they can trust.
CISO Compensation Will Increase to Reflect Growing Pressures
Due to the increased legal risk associated with their roles, CISOs for SEC-regulated, publicly traded companies will demand Directors and Officers (D&O) insurance as part of their compensation. They will also command higher total compensation to offset the additional financial and personal risk associated with their role. This will, in turn, drive up compensation for all CISOs, including those at private equity portfolio companies as well as privately owned and financed companies.
We’re Entering the Cyber Whistleblower Era
With more legal responsibility falling on the shoulders of cyber leaders, whistleblowers will see even more reason to report inadequate security controls or disreputable behavior to federal regulators. Resource constrained organizations that cut corners will find themselves in hot water as their practices come to light.
As an additional twist–and as we’ve already started to see–ransomware actors will insert themselves in the whistleblowing process as a way to force publicly traded companies to comply with their ransom demands. Unscrupulous organizations will find themselves on the horns of a dilemma as they try to decide which is worse: facing serious regulatory consequences or paying out a hefty ransom—with no guarantee that ransomers won’t compound their problems by blowing the whistle anyway once they get their money.
Does the prospect of facing criminal charges for a data breach or for misrepresenting your organization’s cybersecurity posture concern you, and are you changing your approach to how you do your job as a result? Join the conversation on the ExtraHop Customer Community.