In today’s hyper-connected world, cybersecurity is a priority for every organization. Yet despite efforts to bolster defenses, a staggering 61% of companies in the US and UK suffered security breaches over the past year. This trend isn’t just affecting systems and data—it’s also impacting budgets, with US businesses alone losing $30 billion annually due to ineffective security policies and controls. As security leaders grapple with growing scrutiny from boards and regulators, many are now taking drastic steps to protect themselves from the personal risks associated with cybersecurity failures.
Cybersecurity Failures and the Costly Fallout
With breaches becoming increasingly common, security leaders are under mounting pressure to provide reliable assurances to stakeholders. A recent report by cybersecurity firm Panaseer reveals that 85% of security decision-makers (SDMs) face heightened scrutiny from senior management, with 57% struggling to provide these assurances due to a lack of reliable data. This data gap leaves many in the uncomfortable position of vouching for security without the necessary tools to support their claims, a dilemma that can have costly consequences.
Jonathan Gill, CEO of Panaseer, underscores the challenges. “Security failures aren’t just about inadequate controls. It’s about the inability of security leaders to get accurate, timely insights into how those controls perform,” he explains. Boards want reassurances that their security investments are effective, yet only 55% of SDMs feel fully confident in the accuracy of the data they’re presenting to the board. This gap in confidence has real financial implications, particularly as regulatory bodies like the SEC introduce stricter rules and penalties for cybersecurity lapses.
Insurance as a Safety Net—or a Band-Aid?
To protect themselves against potential fallout from breaches, a striking 72% of security leaders have taken out personal indemnity insurance in the past year. This move shields them from legal and financial consequences but doesn’t address the root causes of security lapses. Gill highlights this “Band-Aid” approach, noting that it reflects the blame culture prevalent in cybersecurity, where security leaders are often held personally responsible for incidents they can’t always prevent.
And the problem doesn’t stop there. Of those who have indemnity insurance, only 34% have policies that will protect them indefinitely, leaving the majority exposed if they move to another company. For many CISOs, this is just another reminder of how cybersecurity roles have become high-stakes positions. As Gill observes, “Some CISOs are forced to plaster over the cracks with personal indemnity insurance. But this doesn’t address the systemic issues that put them in this precarious position to begin with.”
Rising Liability and Mixed Reactions Among Security Leaders
With liability concerns on the rise, cybersecurity leaders are responding in different ways. A majority, 75%, report feeling a heightened sense of personal responsibility for security failures compared to two years ago. Yet opinions on this increased accountability are divided. Around 72% of SDMs see the increased liability as fair, and some, like 44%, even view it as an opportunity to elevate industry standards.
Others, however, feel the pressure is unwarranted. Nearly 28% of security leaders believe that making them personally accountable for security failures is unfair, with 23% expressing outright frustration. This divide points to a broader debate within the cybersecurity community about where responsibility should lie. For some, the heightened scrutiny is an incentive to push for higher standards; for others, it’s a source of stress and, in some cases, a reason to consider leaving the field altogether.
Extra Reporting Pressure and Data Gaps Add to the Challenge
The responsibilities of security teams aren’t limited to just preventing breaches; they’re also expected to keep stakeholders informed about everything from compliance status to risk levels. Panaseer’s report reveals that 72% of security leaders feel their teams could prevent more breaches if they spent less time on reporting and more time on active threat prevention. But the demands for reporting are growing, with 89% of security leaders now expected to provide data on the effectiveness of security investments and metrics that justify cybersecurity spending.
Yet, a lack of proper analytical tools complicates this task. About 67% of security teams lack specialized tools to assess and report on cybersecurity risks accurately, resulting in visibility gaps that limit their ability to communicate risks effectively. Gill points out a key issue: “Other business functions have access to systems that provide a single source of truth, like SAP and Salesforce, but CISOs are often left cobbling together data from disparate sources.” Without a unified view of assets, security leaders can only do so much to ensure comprehensive security, leaving them exposed to unknown risks.
In many organizations, cybersecurity now involves coordinating with multiple teams outside the security department. According to Panaseer’s findings, 85% of security leaders report they have to drive accountability across departments, highlighting a growing need for a collaborative approach to security that shares the burden rather than centralizing it on CISOs alone.
Balancing Accountability with Support: What’s Next for Security Leadership?
As security breaches become more common and costly, the demands on security leaders will likely continue to grow. But there’s a consensus that if this pressure becomes too focused on individuals, it risks alienating skilled professionals from the industry. “CISOs shouldn’t be made scapegoats for security incidents,” Gill stresses. “We must recognize the good work they do and avoid making them the sole targets of blame.”
The cybersecurity industry is grappling with a difficult balancing act: finding a way to hold leaders accountable while ensuring they have the tools, resources, and team support needed to perform their roles effectively. Without this balance, the industry risks pushing out experienced leaders who see their roles as unsustainable under current conditions.
With cybersecurity threats constantly evolving, businesses must reconsider how they approach security management. Providing CISOs with a “golden source of truth,” as Gill puts it, may be one way to reduce the pressure on individual leaders and improve overall cybersecurity effectiveness. Such a system would allow security leaders to monitor risks, address gaps proactively, and provide stakeholders with reliable data, making the entire organization safer in the process.
For now, the costs of cybersecurity failures continue to mount, with businesses bearing the brunt of inadequate defenses and ineffective governance. The industry may need a shift in focus, one that doesn’t just rely on individual leaders to uphold security standards but integrates cybersecurity as a core part of every business function.
