In a world economy increasingly reliant on digital systems, regulators have looked for someone to blame when a cyberattack disrupts networks. Marshall Erwin, chief information security officer at Fastly, thinks pointing fingers is diverting time and resources from companies boosting their cybersecurity defenses.
Fastly, a cloud service provider based in San Francisco, has some of the largest tech companies in the world relying on its infrastructure running securely at all times. So Erwin, who leads three teams as the CISO, understands that their choices can have a big impact on the internet.
“We run large amounts of traffic for some of the largest companies on the planet,” Erwin said. “Although we’re a relatively small company compared to the biggest players…the scope of the decisions we make are pretty critical.”
Tensions around legal liability have increased ever since the 2023 Securities and Exchange Commission charged software company SolarWinds and its CISO Timothy Brown over allegations they misled investors about the cybersecurity risks the company faced. The case has hammered home to security officers that regulators and the public will put their cybersecurity decisions under the microscope.
A survey of more than 1,800 decision makers globally published by Fastly on Tuesday shows that it’s unclear whether the focus on CISOs is merely encouraging checkbox compliance tactics. In effect, are businesses prioritizing protecting themselves legally from regulators rather than from malicious hackers.
“CISO liability and accountability can be a good thing if it’s done correctly, but thus far, we don’t see it being done correctly or it doesn’t seem to be moving the needle in a meaningful way towards improving security,” said Erwin.
Scapegoats and budget woes
In Fastly’s survey, 87% of respondents said they expect to see IT teams getting an increased budget. But Fastly also noted that “security teams will face an uphill struggle as they try to convince senior executives to part with that budget.”
In the company’s 2023 survey on the same topic, more than three quarters of respondents said they planned to invest more in cybersecurity. However, more than half say in 2024 that their businesses actually under-invested last year.
Erwin said that while most companies are making “major policy changes” to address legal concerns, those changes are largely driven by regulators taking a case-by-case view of enforcement like the SEC did with SolarWinds over how to properly disclose an incident.
For example, 38% of the respondents in Fastly’s survey modified their own disclosure policies and have added cybersecurity insurance to protect cybersecurity staff from personal liability. While those actions are positive, Erwin says, “the intent of the accountability regime should be to actually improve security and incentivize better security practices…not just modify disclosure documents.”
Disclosing a breach is something a CISO should be concerned about, he noted. But it’s not something that improves security beyond reducing legal liability.
Erwin said the three things businesses should rethink when it comes to accountability are:
- Breaches will always happen. So distinguish between the avoidable and unavoidable.
- Security should be a shared responsibility and not fall to one person
- Clearly define who is responsible for an incident when a successful attack occurs.
While cyber attacks will happen, it’s usually possible to avoid the worst-case scenarios with the right preparation. Erwin said that since security is a shared responsibility, accountability when something goes wrong should be spread among the business units.
At Fastly, the decision about whether to invest in addressing a cyber risk falls to either the chief product officer or the engineering leader. Marshall’s role as CISO is to advise them on cybersecurity risks, but “in the end they’re often going to own the decision,” he said.
“Ultimately, I don’t think you can put accountability on one individual who doesn’t fully own the decision and the resources to address the risk. It needs to apply across those groups,” Erwin said.
The lack of a clear standard is possible when regulation is done through enforcement of individual cases, Erwin said. Guidance over cyber liability regulation is still new and driven largely by a few cases regulators have filed against companies, leaving executives to interpret the minutiae of a particular case with the hope the next enforcement case is consistent.
The SEC’s look at the SolarWinds incident, a sophisticated cyberespionage operation by Russian hackers using the company to access sensitive federal networks that was revealed in late 2020, is one example. Many companies examine how such cases are enforced to decide how to act. Erwin says enforcement should move beyond “the perception that CISO’s are the scapegoat,” otherwise the trend of checkmark compliance will continue. By taking the case-by-case approach to enforcement, regulators are also creating “a certain level of chaos and uncertainty among the security leader community,” Erwin said.
Like most businesses, Erwin said, Fastly has processes for dealing with a vulnerability or some other cybersecurity project. Engineers are expected to meet timelines to fix any bug, and if they don’t need to be fixed, then those too go through an established process.
It gets tricky when it comes to consulting with the leaders on how best to address cybersecurity risk. Talks with leaders are often much more soft-skill based than the day-to-day decision making.
“The core part of his role is making sure that we assess risk effectively and then communicate that up to the c-suite and then the board,” Erwin said. “If I have done that correctly—I have assessed the risk and communicated the risk—I have ultimately done my job,” Erwin said.
Correction, March 4, 2025: An earlier version of this article included a misspelling of Marshall Erwin’s last name.