Shared responsibility, not a single point of failure

Fastly’s research also found that nearly half (46%) of organizations are unclear about who holds ultimate responsibility for cybersecurity incidents, while only 36% have clearly delineated roles and responsibilities within their teams. The research points to a significant gap in how organizations internalize responsibility and translate regulatory guidance into meaningful improvements to security postures.

Marshall Erwin added, “CISOs do not make the final call on every decision. When it comes to security risks, the question a board should be asking is, ‘Are we aligning the budget to address the risks the CISO has communicated to us?’ This is where accountability should start—at the senior leadership level, with clear communication and alignment of resources.”

This responsibility doesn’t just fall on one person—it requires clear communication at every level of the organization to understand how and why cybersecurity risks should be mitigated and how efforts should be aligned to reduce exposure.

Creating better standards

The report underscores the need for the industry to prepare for the next high-profile incident with stronger frameworks for accountability that incentivize meaningful actions, rather than just compliance measures. As regulatory standards continue to evolve, organizations should recognize that CISO liability is not a threat but an opportunity to solidify security postures and drive long-term change across organizations.

About the research

This research surveyed 1,800 key IT decision-makers with an influence in cybersecurity in large organizations spanning multiple industries across North, Central, and South America, Europe, Asia-Pacific, and Japan. The interviews were conducted online by Sapio Research in September 2024 using an email invitation and an online survey.

To access the full set of data and understand how businesses are consolidating tools and changing their spending habits in the wake of high-profile cybersecurity incidents, visit here.