CIOs: Don’t Become Your Company’s Post-Breach Scapegoat

Stroz Friedberg is a specialized risk management firm built to help clients solve the complex challenges prevalent in today’s digital, connected, and regulated business world

When an incident occurs, the CIO often becomes the face of the company’s security shortcomings; in other words, the “fall guy”. This can leave CIOs wondering how to better prepare for the next breach, and equally important, how to keep their jobs when the witch hunt begins.

Here are some ideas we’ve gathered from smart CIOs who we’ve supported:

  1. Proactively Educate The Business

There is a common misperception within many organizations that cybersecurity is IT’s responsibility, but CIOs know that security cannot be achieved by one person. Business leaders often don’t understand the role they must play in protecting the company. Additionally, boards and shareholders often don’t appreciate the complexity of the security challenges faced by the organization. To prevent finger pointing in the aftermath of a security crisis, CIOs should work proactively as advocates of internal collaboration, uniting the organization’s leaders and other stakeholders in a shared understanding of, and accountability for, the company’s security posture, and driving much needed investment in the overall state of security.

  1. Arm Yourself and Your Company

Although not typically involved in day-to-day security activities, CIOs are accountable for making sure their organizations are prepared to handle current and emerging threats and for optimizing their organizations’ ability to detect and respond to these threats. CIOs must stay informed by arming themselves with information about the types of attacks occurring in the industry, the organization’s capabilities, and the easiest and most likely ways an attacker might gain access to the company’s environment. Additionally, the CIO must understand which assets are most important for the business to protect should an attacker successfully establish a foothold within the environment. Armed with this information, a CIO can greatly reduce the impact of security incidents.

  1. Put the Organization Through its Paces

Armed with knowledge of an organization’s capabilities, critical assets, the evolving threat landscape, and current industry trends, a CIO can further mitigate risk exposure by defining a strategic plan to tackle inevitable breaches, and testing the preparedness of the company’s incident response capability with tabletop exercises. This type of readiness testing will validate the company’s posture and practical ability to execute collaboratively in times of crisis, and enhance the organization’s capability by educating key stakeholders.

Protecting an organization from cybercrime isn’t easy. You can cross your fingers and hope for the best, or you can get smart about the risks and prepare your entire organization to act together in an emergency. Shared accountability is good for the company, and for a CIO’s career.


Our lawyers don’t want to miss out on the fun and would like you to know that all of the posts are the opinions of the individual authors and don’t necessarily reflect the opinions or positions of Stroz Friedberg. The ideas and strategies discussed herein may not be appropriate for any one reader’s situation and are not meant to be construed as advice.

Risk Areas: Cyber

I am: In the C-Suite or a Director

Tags: cybercrime, CIO



Commentary, new discoveries, and innovative ideas right to your inbox.

Stroz Friedberg

Sorry! You are using an older browser which is not supported by this website.

Please download one of these free browsers to enjoy all our website has to offer:
Firefox, Chrome or Internet Explorer.