SHERIDAN, WYOMING – March 4, 2025 – The responsibility of Chief Information Security Officers (CISOs) has increasingly come into focus in the past year. A study by edge cloud provider Fastly reveals that 91 percent of companies in the DACH region have adjusted their internal corporate policies in the preceding 12 months to address concerns about the personal liability of CISOs. This includes increased involvement of CISOs in strategic decisions at the executive level in 32 percent of companies.
At the end of 2023, newly introduced regulations – such as the SEC rules on risk management, strategy, governance, and disclosure of cyber incidents for listed companies in the USA – as well as other headlines about legal disputes, drew significant attention to corporate responsibility and personal liability of CISOs in data breaches. To reduce this risk, 37 percent of surveyed companies in Germany, Austria, and Switzerland indicated they have increased their oversight of regulatory disclosures and documentation of security incidents, while another 41 percent have improved legal support for cybersecurity teams, including their protection in liability cases. Additionally, significantly more resources were allocated to security overall.
Although these measures can be seen as a positive development, Marshall Erwin, CISO at Fastly, doubts whether these changes are sufficient to adequately protect organizations and cybersecurity professionals.
Enhanced Strategic Involvement and Legal Safeguards for Cybersecurity Teams
"Global outages will remain inevitable in the future, which will once again bring the responsibility of CISOs into focus. In light of this, it is encouraging to see that the vast majority of companies are adjusting their disclosure practices regarding liability issues. Investing in legal safeguards is an important step, but these measures often aim more to protect organizations from legal risks than to promote a meaningful understanding of responsibilities that leads to better security practices," explains Marshall Erwin. "Adequate accountability goes beyond insurance and fulfilling disclosure obligations. For real change, we need to view responsibility as a positive force that creates incentives to improve security measures. For this, we need better, more clearly defined standards from regulatory and enforcement authorities that clearly distinguish inevitable incidents from those that were avoidable due to serious security deficiencies."
Shared Responsibility, Not Individual Failure
The survey also revealed that nearly half (47 percent) of organizations in the DACH region are unclear about who ultimately bears responsibility for cybersecurity incidents, as only 32 percent of respondents have clearly defined roles and responsibilities within their teams. The study also points to a significant gap in how companies internalize responsibilities and translate legal requirements into meaningful improvements in security measures.
Marshall Erwin adds:
"CISOs do not have the final say in every decision. When it comes to security risks, the board should ask: 'Are we budgeting to cover the risks communicated to us by the CISO?' Responsibility must start at the leadership level, with clear communication and appropriate resource allocation."
This responsibility does not rest solely on one person – it requires communication at all levels of the organization to create understanding and clarity about how and with what measures cybersecurity risks can be minimized.
Creating Better Frameworks
The study underscores that the industry must prepare for the next prominent incident with clearly defined frameworks regarding responsibilities. These frameworks should provide incentives for meaningful actions and not just for compliance. As regulatory standards continue to evolve, organizations must understand that the discussion about CISO liability is not a threat but an opportunity to strengthen their security structures and drive long-term changes in companies.
About the Study
The study surveyed 1,800 key IT decision-makers with influence over cybersecurity in large organizations across various industries in North, Central, and South America, Europe, Asia-Pacific, and Japan, including 200 experts in Germany, Austria, and Switzerland. The interviews were conducted online by Sapio Research in September 2024 using an email invitation and an online survey.
About Fastly
Fastly's powerful, programmable edge cloud platform helps the world's top brands deliver outstanding online experiences. With solutions for edge computing, content delivery, cybersecurity, and observability, Fastly enhances website performance, comprehensively protects applications, and drives innovation on a global scale. Thanks to its modern platform architecture, Fastly enables developers to bring websites and applications to market in record time and deploy them cost-effectively. Companies worldwide, including Reddit, Neiman Marcus, Universal Music Group, and SeatGeek, rely on Fastly to optimize their online offerings.
For more information visit.