Tech
CISOs in court: Balancing cyber resilience and legal accountability | Computer Weekly
Today, the role of chief information security officer (CISO) role has transcended traditional boundaries, moving beyond managing firewalls and compliance checklists. The current landscape, marked by an upsurge in regulatory scrutiny and lawsuits against individual CISOs, demands a new approach.
To navigate this challenging environment, the CISO must become a legal sentinel, meticulously documenting decisions and establishing a verifiable defence of “due care” to protect both the enterprise and themselves from legal repercussions.
The paradox is that the more visibility CISOs have gained, the greater their legal exposure becomes. The solution lies in governance by design, a strategic approach that aligns cyber controls, risk metrics and executive communication around transparency and accountability to build trust among regulators, customers and investors. Governance by design is a proactive approach that integrates legal considerations into every aspect of cyber security strategy and decision-making, ensuring that the organisation is always prepared for legal scrutiny. In essence, cyber resilience and legal defensibility are now two sides of the same coin.
The legal landscape: Why CISOs are in the crosshairs
CISOs traditionally operated behind the scenes, focusing on threat prevention and response as technologists. Today, regulators expect CISOs to demonstrate not only technical competence but also governance maturity, ethical decision-making and transparency. Cyber security laws, such as the SEC’s Cyber Disclosure Rules, the EU’s General Data Protection Regulation (GDPR) and state-level privacy acts like California Consumer Privacy Act (CCPA), impose explicit duties on organisations to report breaches promptly, maintain reasonable safeguards and ensure transparency in disclosures.
When organisations fail to meet these obligations, regulators and investors increasingly look to the CISO as the responsible executive. We can see this in class-action lawsuits that now routinely name CISOs as defendants, especially when plaintiffs allege that executives ignored warnings, underfunded security programmes or misled stakeholders.
The CISO’s emails, reports, and board presentations often become evidence in litigation, making documentation and communication practices critical risk factors in their own right. The CISO’s defence rests on demonstrating due diligence, proving that they provided the board with accurate risk assessments and reasonable security measures were implemented, given the company’s resources and risk profile.
Protecting the organisation: Legal foresight as a security control
To protect the enterprise, CISOs must adopt a dual-lens mindset: one focused on risk reduction through technical and operational controls, and another geared to legal defensibility. Several best practices help balance these priorities, ensuring that legal implications are considered in every security decision.
- Embed legal awareness in cyber strategy: By integrating legal counsel into incident response, risk assessment, tabletop exercises, data protection impact assessments and vendor management discussions, security leaders can ensure that regulatory implications are understood before crises occur.
- Build a defensible documentation trail: CISOs must document major security decisions, such as risk acceptance, budget trade-offs and vendor selections, along with the rationale, as these records become invaluable in proving due diligence if an incident leads to regulatory review or litigation.
- Adopt a “disclosure-ready” posture: Ensuring that systems are in place for early breach detection, internal escalation and timely communication to leadership is crucial. This transparency, when clearly implemented, can mitigate reputational and legal fallout.
- Implement continuous oversight and board reporting: Presenting regular security briefings to the board that focus on measurable risk indicators, rather than just providing technical updates, helps drive accountability and distribute liability more equitably across governance layers.
Protecting the CISO: Personal legal safety nets
As accountability grows, CISOs must treat their personal risk exposure as part of professional hygiene. The following safeguards are now essential components of an executive’s toolkit:
- Directors and officers (D&O) insurance cover: CISOs must ensure that their comprehensive D&O insurance explicitly includes cyber security-related claims and personal indemnification clauses that specifically address the CISO role.
- Document and escalate material risks: If CISOs identify systemic weaknesses, such as a lack of funding, unpatched legacy systems, or noncompliance, they must formally escalate these risks to leadership and record the communication, as silence or informal discussions can later be construed as negligence.
- Establish a personal legal relationship: In high-stakes scenarios, the company’s counsel represents the organisation, not the individual. CISOs should have access to independent legal advice when handling investigations or disclosure decisions involving personal accountability.
- Maintain ethical and transparent communication: Misrepresentation is often the catalyst for prosecution. When briefing executives or regulators, the CISO must ensure that all statements are factual and appropriately qualified. Overpromising on security posture or mischaracterising an incident can backfire.
- Foster a culture of shared responsibility: The CISO should advocate that cyber security is a collective enterprise responsibility, not a siloed function. Embedding security accountability across engineering, operations and business units helps dilute individual liability and strengthen overall resilience.
Summing up
The CISO operates in one of the most demanding roles in the modern economy. Their technical expertise is what builds the defensive wall, but their diligence in governance and documentation is what creates the legal fort. By integrating legal foresight into cyber strategy, documenting transparent governance and securing personal protection, CISOs can transform potential liability into institutional resilience. CISOs must consistently demonstrate a defensible standard of reasonable security and absolute transparency to lead their organisation through an age defined by digital risk and legal scrutiny. Cyber security leadership is no longer just about protecting systems, it’s about protecting the people who defend the organisation including the CISO and their team.
Aditya K Sood is vice president of security engineering and AI strategy at Aryaka.
April might be springtime in the northern hemisphere, but some of the best streaming services seem to think it’s the perfect time for a dry run of spooky season. How else to explain the arrival of some exquisitely dark slices of horror, like 28 Days Later: The Bone Temple arriving on Netflix, Weapons coming to Prime Video, or Shelby Oaks landing on Hulu? If you prefer your off-season Halloween viewing to be in the vein of campy B movies rather than serious scares though, horror specialist Shudder has you covered with Deathstalker, a gloriously cheesy reboot of a near-forgotten ’80s series.
Reality is often scarier than fiction though, as shown by Louis Theroux’s Inside the Manosphere—his first documentary film with Netflix, exploring the dark side of social media and the world of toxic male influencers. (Be sure to read our interview with the filmmaker.) And if the thought of that leaves you wanting something a bit more wholesome to watch, thankfully Zootopia 2 has popped up on Disney+—and there’s even a rabbit in that, for some appropriately springtime imagery.
Here are WIRED’s picks of the best movies to watch right now.
28 Years Later: The Bone Temple
The fourth film in the long-running postapocalyptic horror series switches focus from rampaging rage zombies to a more dangerous threat: humans. OK, OK, “people are the real monsters” isn’t a hot take for the genre, but The Bone Temple offers a unique twist, with 28 Years Later survivor Spike (Alfie Williams) trapped in the company of a murderous gang led by deranged satanist “Sir Lord” Jimmy Crystal (Sinners’ Jack O’Connell). The villain is modeled on disgraced British TV presenter Jimmy Savile, whose sexual abuse crimes hadn’t been revealed by the time of the initial outbreak in 28 Days Later, adding a dash of real-world terror.
As the group stalks what remains of the English countryside, Spike’s only hope might be Dr. Ian Kelson (Ralph Fiennes), whose experiments on curing alpha zombie Samson (Chi Lewis-Parry) might hold humanity’s last hope. Although best watched back to back with its predecessor for the full, horrifying picture, director Nia DaCosta’s chapter stands on its own—and earns bonus points for one of the best uses of Iron Maiden’s “Number of the Beast” in film history.
Louis Theroux: Inside the Manosphere
It’s the silence that does the trick; British documentarian Louis Theroux always knows when not to speak and instead let his subject expose themselves for the world to see. It’s a masterful technique whether Theroux is investigating the Westboro Baptist Church or UFO conspiracy theorists, but it is rarely put to better use than in his latest outing: exploring the online “manosphere” subculture of self-appointed “alphas” offering toxic advice on how to be a “real man.” Speaking with key figures in the loosely defined movement, Theroux’s mild-mannered approach often leaves them to do most of the talking, exposing shockingly misogynistic and extremist views. Even more distressing? The quiet revelation that for many of them their performative masculinity is all just one big grift, and how they rationalize the harm they cause in pursuit of a payout. Depressing but compelling viewing—not all men, but definitely all of these men.
Crime 101
Jewel thief Mike (Chris Hemsworth) is the best in the business, a meticulous planner who pulls off his heists without leaving a shred of evidence—much to the consternation of LAPD detective Lou Lubesnick (Mark Ruffalo), who doesn’t even know exactly who he’s hunting for a string of thefts. Elsewhere in the City of Angels, Sharon (Halle Berry) is an underappreciated VP at an insurance firm, frustrated at being passed over for promotion for years. She’s the perfect insider to help Mike orchestrate an elaborate $11 million diamond heist. But as Lou uncovers evidence connecting to Mike’s past, and the chaotic, violent biker Ormon (Barry Keoghan) aims to take the score for himself, even the most masterful planning can’t prevent everything spiraling dangerously out of control.
Kevin Weil, OpenAI’s former chief product officer who was recently tapped to build a new AI workspace for scientists, Prism, is leaving the company, WIRED has confirmed. Weil was previously an early executive leading product at Instagram.
OpenAI is also sunsetting Prism, which the company launched as a web app in January this year to give scientists a better way to work with AI. The company is folding the roughly 10-person team behind it into Thibault Sottiaux’s Codex team. An OpenAI spokesperson confirmed the changes, and tells WIRED this is part of the company’s effort to unify its business and product strategy. OpenAI has broader ambitions to turn Codex, its AI coding application, into an “everything app.”
Weil, who joined OpenAI in June 2024, announced last September that he would be starting a new initiative inside of the company called “OpenAI for Science.” Now, OpenAI is dispersing those employees throughout the company’s product, research, and infrastructure teams. An OpenAI spokesperson reiterated the company’s commitment to accelerating scientific discovery, and says it’s one of the clearest ways AI can benefit humanity.
OpenAI is currently trying to refocus the company around a few key areas, such as enterprise offerings and coding. Last month, OpenAI’s CEO of AGI deployment Fidji Simo told staff that the company needs to simplify its product offerings. The push to divert resources to more consequential efforts resulted in OpenAI discontinuing its Sora video-generation app.
This is a developing story. Please check back for updates.
Sam Altman’s iris-scanning, humanity-verifying World project announced at an event in San Francisco on Friday that Tinder users around the globe can now put a digital badge on their profiles signaling to potential suitors that they’re a real human, provided they’ve already stared into one of World’s glossy white Orbs and allowed their eyes to be scanned. The announcement follows a pilot project for Tinder verification that World previously conducted in Japan.
The global Tinder expansion is one of the biggest tests yet for World, and the company’s bet that everyday consumers will be willing to sign up for biometric verification services to use internet applications. Founded in 2019 by Altman and Alex Blania, the World project was designed for a future where the internet is overrun with highly capable AI agents that make it incredibly difficult, if not impossible, to tell who is really human. As companies like OpenAI—where Altman is CEO—and Anthropic push AI agents into the mainstream, the problem World was built to solve feels increasingly urgent.
But World has struggled to achieve mainstream adoption, and it has encountered resistance from governments around the globe that have probed the company over suspected violations of data protection laws. The company says 18 million people have now been verified with an Orb, up from 12 million last year.
In addition to the Tinder global expansion, Tools for Humanity, the company behind World, announced a number of other consumer and enterprise partnerships on Friday at its Lift Off event in San Francisco. The startup says Tinder users who verify with their World ID will receive five free “boosts,” typically a paid feature that increases the number of users who see a profile by up to 10 times for 30 minutes. The videoconferencing platform Zoom also says that users can now require other participants to verify their identity with World before joining a call. Docusign, the contract signing software, will allow users to require World’s identity verification technology.
Tiago Sada, Tools for Humanity’s chief product officer, tells WIRED the company sees major platform partnerships as key to helping World become a mainstream identity-verification technology. Sada said he’s especially interested in working with social media companies in the future, and was encouraged to see that Reddit has started testing World as a solution to help users distinguish bots from real people.
World is also launching a tool called Concert Kit, which lets artists reserve concert tickets for verified humans, a pitch aimed squarely at the bot-driven scalping problem that critics say has plagued sites like TicketMaster. World will test the feature on the upcoming Bruno Mars World Tour featuring Anderson .Paak, who is scheduled to play a verified-humans-only show under his alias DJ Pee .Wee in San Francisco on Friday night.
No new hardware announcements or updates were made at Friday’s event. World first launched the iris-scanning Orb back in 2023, alongside a mobile app that contains “mini apps” for different verification and blockchain-related programs. After a person scans their eyeball with one of World’s Orbs, the startup creates a unique cryptographic key for each person—their World ID. This creates a private, decentralized way to verify people online, without requiring them to upload their government ID all over the internet.
The project was initially called Worldcoin, and in the early days the startup offered people free cryptocurrency to scan their irises. World still offers a cryptocurrency token and a wallet for digital currencies, but dropped the “coin” from its name in 2024 and has since shifted its focus to identity verification for the AI era. Jess Montejano, a spokesperson for Tools for Humanity, says the company still offers crypto as an incentive when new users sign up, but has also expanded its offerings to include Netflix and Apple TV subscription trials.
Nathalie Baye, low-key legend of French cinema, dies aged 77
Transfer rumors, news: Liverpool eye Wharton amid Man United, Real Madrid interest
The Best Movies to Stream This Month
-
Politics1 week agoIndian airlines hit hardest after Dubai limits foreign flights until May 31
-
Entertainment5 days agoPalace left in shock as Prince William cancels grand ceremony
-
Sports5 days agoThe case for Man United’s Fernandes as Premier League’s best
-
Politics1 week agoChinese, Taiwanese will unite, Xi tells Taiwan opposition leader
-
Sports1 week agoDocuments: NC State trainer initiated ‘unwelcome,’ ‘sexual’ contact
-
Entertainment1 week agoDua Lipa hits major career high ahead of wedding with Callum Turner
-
Business5 days agoUK could adopt EU single market rules under new legislation
-
Business1 week agoHe paid $248 in illegal tariffs for this coat. Will he ever get it back?