- A third of security workers see CISO roles as ‘no-wins’
- Companies still aren’t giving security workers enough resources
- 15% say prosecution threats are preventing them from taking up CISO roles
Amid ongoing skills shortages, new research has revealed why many IT experts are unwilling to take up roles in cybersecurity despite healthy earning potentials.
Seven in 10 IT security decision-makers surveyed by BlackFog said stories of CISOs being held personally liable for cybersecurity incidents have negatively impacted how they see the role, putting them off wanting to progress into managerial and leadership positions.
Moreover, the survey participants added that leaders with responsibility are often finding themselves in a no-win situation, adding to the stress of the role.
Cybersecurity workers don’t want the pressure
One in three (34%) noted that security leaders would either face internal consequences for failing to report findings or face public criticism and potential prosecution if they do. The pressure isn’t just coming from within, though, with regulatory action influencing how companies are handling cybersecurity incidents.
Nearly half (44%) added their companies have already implemented processes to reduce their cybersecurity exposure in order to prevent regulatory scrutiny and accountability.
Two in five (41%) also noted that their Boards are taking cybersecurity more seriously as a result, however security workers are still waiting for leaders to take action, such as by providing more resources; only 10% have seen more money devoted to cybersecurity efforts.
“The role of the CISO is all about managing risk for the organization but, as regulations tighten, security leaders increasingly need to consider their own personal risk,” noted BlackFog CEO Dr Darren Williams.
The research highlighted a clear split – half (49%) believe that the potential for an individual to be prosecuted following a cyberattack would improve accountability and transparency, with 15% stating that this would deter them from wanting to take up CISO roles in the future.
Dr Williams called for clearer governance and incident reporting and response procedures, however cybersecurity workers including CISOs need the backing of their companies.
