CISO Jobs Just Got Riskier—But More Strategic. Here’s Why It Matters.

A recent study conducted by Fastly reveals that ninety-three percent of organizations have modified their policies to address the growing personal liability faced by Chief Information Security Officers, or CISOs. This shift comes in response to new regulations, including recent rules from the Securities and Exchange Commission regarding cybersecurity risk management and incident disclosure. Notably, forty-one percent of organizations are now involving CISOs more in board-level strategic decisions. To mitigate potential risks, thirty-eight percent of respondents have increased scrutiny of security documentation, while a similar number have improved legal support for cybersecurity staff, including introducing liability insurance. However, Marshall Erwin, CISO at Fastly, warns that merely investing in legal protection is not enough; true accountability requires clearer standards from regulators and a culture that incentivizes better security practices. The report further highlights a concerning lack of clarity in responsibility during cybersecurity incidents, with nearly half of the surveyed organizations unsure who holds ultimate accountability.

Cyberattacks targeting third-party vendors are causing unprecedented financial damage, according to a recent report by the cyber risk management firm Resilience. The report revealed that nearly one-quarter of cyber insurance claims filed last year involved material losses due to third-party breaches, marking a first for the company. Resilience noted that many incidents in 2024 disrupted businesses significantly, leading to larger financial impacts. The average cost of a data breach in 2024 was nearly 4.9 million dollars, with some incidents costing billions, such as the ransomware attack on UnitedHealth, which incurred 3.1 billion dollars in response costs. Resilience’s analysis also indicated that third-party risk now accounts for 31 percent of all claims filed, with ransomware targeting vendors contributing to 18 percent of incurred claims. The firm suggests that threat actors are shifting focus towards larger organizations, aiming for higher payouts.

ZeroBounce has unveiled its 2025 Email Statistics Report, offering valuable insights into email user behavior based on a survey of nearly one thousand participants across four continents. The findings reveal that a significant ninety-three percent of respondents check their email daily, with forty-two percent doing so three to five times a day. While thirty-five percent of users spend less than one hour managing their inboxes, an equal percentage dedicates between two to five hours each day. The report emphasizes that relevance is key to engagement, as forty-six percent of participants consistently open emails from brands that send relevant content. Additionally, eighty percent of individuals mark emails as spam if they appear spam-like, highlighting the importance of permission-based marketing. With sixty percent preferring email for work communication, the report underscores the ongoing dominance of email despite the rise of other platforms.

Why do we care?
CISOs are becoming strategic, not just operational. With 41% now involved in board-level decisions, service providers must position themselves as trusted advisors, aligning security offerings with broader business objectives.  ome security leaders may hesitate to take on CISO roles—especially in organizations with unclear accountability structures. If clients struggle to retain security leadership, MSPs may see increased demand for virtual CISO (vCISO) services.

And thus the need to also manage those third party risks as well as email security.  
Cyber insurance might become less viable. With high-cost payouts like the UnitedHealth breach, insurers could raise premiums, impose stricter requirements, or even exit the market for certain businesses. MSPs must prepare for a future where cyber insurance is harder to obtain or more expensive.