Until a decade ago, the biggest professional nightmare for a Chief Information Security Officer (CISO) was losing his or her job as a result of a spectacular hacking attack. It was an acute but purely corporate consequence. Today, the landscape is being dramatically transformed. In the face of new EU regulations such as NIS2 or DORA, as well as precedents from Western markets, what is at stake is no longer just a position within the company structure. The issue of personal legal and financial liability is on the table.
The transformation of the CISO’s role from a technical gatekeeper of infrastructure to a key business strategist is not only due to the natural evolution of the IT market. It is being forced by a confluence of geopolitical factors, the rapid development of artificial intelligence and the coming quantum revolution. However, it is the legislative layer that is making the security chief’s chair one of the ‘hottest’ seats in the modern enterprise.
The end of the “technical advisor”
For years, the role of the CISO was seen through the prism of hard skills: configuring firewalls, managing access or monitoring networks. Risk acceptance decisions were often made at lower levels, away from boardrooms. Current reality is brutally verifying this model. The integration of artificial intelligence with cyber security systems means that the amount of data being processed exceeds human perception. Autonomous systems make decisions to repel attacks in real time, which raises fundamental questions about oversight.
Who is liable when an AI algorithm makes a mistake resulting in medical data leakage or supply chain paralysis? In light of upcoming regulations, the answer is increasingly less likely to be ‘the software provider’ and more likely to point to the executives who released the system in question.
The NIS2 Directive or the DORA Regulation are not just sets of technical guidelines. They are pieces of legislation that redefine the concept of ‘due diligence’. They shift the burden of responsibility from IT departments directly to governing bodies. In this arrangement, the CISO ceases to be just an engineer – he or she becomes the guardian of compliance and the guarantor that the company is operating within the boundaries of the law. Unfamiliarity with legislative nuances is becoming as dangerous to security managers as an unpatched software vulnerability (zero-day).
Scapegoat syndrome vs. real perpetration
For years, there has been a debate in the cyber security community about the disparity between responsibility (responsibility) and decision-making (authority). Many CISOs fear a scenario in which they become a convenient ‘buffer’ for the board of directors in a moment of crisis. These fears are not unfounded. With cyber attacks supported by foreign governments or advanced ransomware groups becoming a daily occurrence, it is impossible to completely eliminate risk. The goal becomes resilience – the ability to survive an attack and recover quickly.
The problem arises when an organisation expects a ‘security guarantee’ from the CISO, while refusing a budget adequate to the risks. In the new legal regime, such asymmetry is dangerous for both parties. If the CISO is held criminally or civilly liable for failing to meet his or her obligations, he or she must have viable tools to block risky business projects.
The modern labour market is reviewing these relationships. There is a trend where experienced security managers during contract negotiations are demanding that a clear decision-making framework be written in and that they be covered by D&O (Directors and Officers) insurance policies, which were traditionally reserved for board members. This signals a maturing of the industry – professionals are ready to take on the burden of responsibility, provided it goes hand in hand with a mandate to act.
“Paper Trail” – Bureaucracy as a defence shield
In the context of legal liability, the approach to documentation is also changing. What was once regarded as burdensome bureaucracy is now becoming a key element of the CISO’s defence strategy. The ‘trust but verify’ principle is giving way to an evidence-based approach.
In the face of threats from supply chains (Supply Chain Attacks) or advances in quantum computing, which may soon challenge current encryption standards, the CISO must demonstrate that it has taken all possible countermeasures available at a given technological stage. Documenting the decision-making process, including formal Risk Acceptance Forms (RACs) signed by the board, is no longer a formality. This proves that the security manager has reliably informed decision-makers about the consequences of, for example, not migrating to quantum-resilient cryptography or not implementing Zero Trust architecture when integrating OT/IT systems.
This is because, in legal terms, it is not about being unsinkable – as there are no such strongholds in the digital world – but about proving that the highest standards of professionalism were adhered to and that any damage was not due to negligence.
CISO at the table, not in the server room
The evolution of threats is forcing a change in the positioning of the CISO in the organisational structure. Since cyber security touches on ethics (when implementing AI), geopolitics (when selecting cloud providers) and business continuity, the person responsible for it cannot report to the IT director, whose priority is system performance and availability. Conflicts of interest in such an arrangement are inevitable.
The modern management model involves the CISO being directly at the decision-making table, as a partner to the CEO and the board. His or her job is to translate complex technical issues into the language of business and financial risk. The role is evolving into that of ‘Architect of Trust’. In the digital economy, customer and partner trust is as hard currency as share capital. A company that can transparently communicate its approach to data protection and AI ethics gains a competitive advantage.
Professionalisation through responsibility
The spectre of legal liability, while it may seem paralysing, has the potential to heal the business-security relationship in the long term. It will force the professionalisation of the CISO function, breaking it away from the stereotype of a ‘brake’ on innovation.
In the coming years, the market will be looking for hybrid leaders – combining deep technological knowledge with legal and ethical insight. The ability to navigate between the requirements of NIS2, the challenges of the post-quantum era and the pressures on the bottom line will become the definition of competence in this position. For companies, this means that not only cyber security budgets need to be revised, but more importantly – the responsibility structure. This is because security has ceased to be an IT problem and has become a parameter that determines a company’s existence in the regulated market.
