The CISO: how chief information security officers can mitigate cyber-risks

The growing sophistication of cyberattacks, stringent regulation and shifting operational models have organizations bracing themselves against new levels of cyber-risk. The latest Global Disputes Forecast report from Baker McKenzie identifies cybersecurity and data privacy as top dispute concerns for global businesses in 2025.

At the heart of any successful cyber-resilience strategy is the chief information security officer (CISO), who balances technology, business needs and legal compliance.

This article examines the critical drivers that are intensifying cybersecurity and data privacy concerns and the evolving role of CISOs and practical strategies to mitigate both organizational and personal risks.

Three crucial driving forces are heightening cybersecurity and data privacy risks:

1. Regulatory pressures

Governments globally are strengthening cybersecurity regulation. Frameworks like the EU’s Network and Information Security 2 Directive (NIS2) and Cyber Resilience Act require rigorous security measures and prompt reporting of breaches. In the US, individual states and sectoral regulators such as the Federal Trade Commission (FTC), the Securities and Exchange Commission (SEC), and New York's Department of Financial Services increasingly require robust cybersecurity controls and governance measures.

In addition, the US’ Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) will require companies in critical sectors to report not only security breaches, but also any ransom payments made as a result. Notably, Baker McKenzie’s report highlights that 70% of respondents who list cybersecurity and data privacy as a disputed risk area cite regulatory scrutiny as their primary concern.

2. Increasing frequency and sophistication of attacks

Technological advancements such as generative AI, coupled with ongoing geopolitical uncertainty, have expanded the cyber-threat landscape. Supply chain vulnerabilities further exacerbate risks, as breaches in one business can cascade across networks. Organizations must address both internal compliance and supply chain security.

3. Changing operational models

The post-pandemic rise in remote work, growing use of cloud services and third-party vendors have significantly broadened organizations’ threat surfaces, necessitating comprehensive security strategies. This also triggers concerns over managing board-level accountability when it comes to cybersecurity risk, as indicated by more than one-third of respondents.

The modern CISO operates at the nexus of technology, strategy and compliance. Their responsibilities extend beyond traditional technical oversight, encompassing regulatory compliance and strategic alignment. As cybersecurity risks increasingly translate into business risks, CISOs now face heightened accountability from both regulators and board members alike, with growing personal liability for compliance failures or data breaches.

This evolving role requires CISOs to take a more integrated approach, working closely with departments such as legal, compliance and IT. They must ensure the organization’s cybersecurity strategy is not only aligned with shifting regulations but that it also supports broader business objectives. To do this, they must balance operational practices with regulatory requirements while safeguarding the organization from external threats and internal vulnerabilities.

To address today’s complex threat landscape, CISOs must take an integrated approach involving:

While these strategies mitigate organizational risks, the evolving role of the CISO requires parallel measures to safeguard against personal liability. As their responsibilities expand, CISOs face increasing personal exposure. To alleviate these risks, they must take a proactive approach to legal protection, peer exchange, legal education and oversight of public messaging through the following:

1. Legal and financial safeguards

CISOs should negotiate indemnification agreements to shield against personal liability for decisions made in good faith. They must also secure provisions for the advancement of defence costs in case of litigation. These measures provide not just financial security but also the confidence to act decisively in high-stakes situations.

2. Peer exchange

Collaboration with other CISOs is invaluable for benchmarking best practices and staying ahead of emerging risks. Platforms like the World Economic Forum’s CISO Community offer opportunities for knowledge sharing industry alignment.

3. Legal awareness

While not legal experts, CISOs need a strong grasp of the legal frameworks governing cybersecurity. Regular legal training and oversight of resilience testing ensure alignment with compliance requirements.

4. Oversight of corporate messaging

Public statements about an organization's cybersecurity practices must be accurate and realistic. CISOs should ensure that corporate messaging reflects the organization’s actual security posture to avoid misrepresentation and potential legal liability.

Cybersecurity is no longer an isolated IT concern; it is a boardroom priority requiring organization-wide collaboration and robust leadership. At the forefront of this transformation, CISOs play a pivotal role in navigating the crossroads between technology, strategy and compliance.

By implementing a robust cybersecurity framework, fostering a culture of accountability and proactively mitigating both organizational and personal risk exposure, CISOs can enhance their organization’s resilience and their own security.

Additional contributions to this blog post from Elizabeth Roper.