I have a feeling companies in the US will have difficulty filling CISO roles without offering golden parachutes (which kick in if the CISO is let go after disclosing a breach) in future.
In cases of breaches there will often be commercial pressure in a company not to disclose (to avoid financial impact)
With personal criminal liability being a possibility for the CISO they are then placed in the position of disclose regardless of internal pressure (risking their job) or don't disclose (and risk criminal prosecution)
Whistleblowers are protected from retaliation due to disclosure by law (they don't need to risk their job), I'm not sure a golden parachute would afford much extra protection.
I would argue the golden parachute is better, since it leaves both parties in a state of resolution. A whistleblower law may provide legal coverage but it is not difficult to imagine the social pressure being applied afterwards to someone who "stirs up a mess"
It’s worth a shot. I agree with you the laws are there not just in America but in a lot of countries. However the facts are fairly clear on the ground that whistleblowers suffer miserably. Then only some after an ungodly amount of time are hailed as hero’s.
That's one of the great parts of GDPR, disclosures are mandatory and DPOs are personally responsible for disclosure, so they have to do it regardless of internal pressure.
I recently interviewed for a CISO role with an explicit “no fault” separation and payout clause in the event of a breach that occurred and required reporting despite security best practices/efforts to avoid. It’s already a thing, and seems to be a given that the CISO is a sacrificial role.
In cases of breaches there will often be commercial pressure in a company not to disclose (to avoid financial impact)
With personal criminal liability being a possibility for the CISO they are then placed in the position of disclose regardless of internal pressure (risking their job) or don't disclose (and risk criminal prosecution)
reply