Cybersecurity failures stem from organizational design that gives CISOs accountability for risk without the authority to manage it, turning them into scapegoats when breaches occur.
Michael McLaughlin, Co-Leader of the Cybersecurity and Data Privacy Practice Group at Buchanan Ingersoll & Rooney PC, describes how CISOs are buried under CIOs or CTOs, sidelined from real decision-making, and exposed to legal and personal liability.
He calls for executive ownership of cyber risk, use of the CIA Triad to define what truly matters, and governance that prioritizes culture and accountability over buying more security tools.
Most cybersecurity failures begin with how power is structured inside the organization. CISOs are frequently given ownership of risk without the authority to act on it, pushed beneath CIOs or CTOs and reduced to an advisory role. As ransomware grows into a projected $275 billion industry by 2031, that imbalance becomes a material business risk. When breaches occur, accountability rarely reaches the board or executive team. It lands on the CISO.
According to Michael McLaughlin, the Co-Leader of the Cybersecurity and Data Privacy Practice Group and a Principal Policy Advisor at law firm Buchanan Ingersoll & Rooney PC, the executive mindset needs to shift. A veteran naval officer who once ran counterintelligence for U.S. Cyber Command, McLaughlin draws on decades of national security experience to advise clients on cyber threats. His experience running both pre-breach planning and crisis response gives him a 360-degree view of how and why companies fail. He says the problem starts with the CISO’s position on the org chart.
"Most companies mis-empower the CISO. Reporting to a CIO or CTO keeps the role out of the C-suite, and as a result, security continues to take a back seat," says McLaughlin. By burying the security leader under a CIO or CTO, companies create a system where security is destined to lose.
Fines and lawsuits: To be heard, a disempowered CISO needs to speak the language the rest of the business understands best: dollars and cents. The goal is to translate abstract risk into concrete business impact by connecting security failures to direct financial outcomes. "For a healthcare entity, a breach brings substantial enforcement actions. They could be removed from the Medicaid and Medicare programs. From a dollars and cents perspective, that's enormous," says McLaughlin. "On top of that, if you have more than a thousand people impacted, you can almost guarantee a class-action lawsuit. The average HIPAA penalty is around a million dollars, and a class-action settlement can easily run into the high-seven figures."
But this communication strategy can create its own liability traps. Effectively documenting risk for public filings like a 10-K creates a paper trail that can be used against the CISO. Their "ground truth" report can be dangerously altered by other executives, leaving the CISO to take the fall. These dynamics can also expose the CISO to personal liability from their own well-intentioned policies.
The ground truth gets grounded: "I've worked with a lot of CISOs who will do the governance aspect of 10-Ks, and when it actually gets filed, it looks nothing like the document they submitted. It has been completely retooled by the finance department or the CFO to tell a story that they want to tell as opposed to the ground truth," notes McLaughlin.
Policy pitfalls: "Companies hang themselves on their own policies. If your policies are aspirational, and they're not things that the company can actually adhere to, you're opening yourselves up to claims of negligence. If the budget gets cut and a policy becomes unachievable, it must be updated. Otherwise, that document is a liability that will absolutely fall on the CISO."
Your personal parachute: Given this reality, McLaughlin’s advice is for CISOs to protect themselves before they even take the job by demanding the same protections afforded to other top executives. "I would never take a CISO position without D&O liability insurance and a full indemnification from the company," he says. "The company needs to provide insurance that will cover you in any lawsuit or enforcement action, because otherwise, that liability falls squarely on the individual. Traditionally, CISOs aren't covered by D&O insurance because they are not actually C-suite officers."
Personal protection is just a shield, not a solution. According to McLaughlin, the real fix isn't about protecting the CISO; it's about changing the entire corporate culture that puts them in the crosshairs. The problem reveals a major blind spot in the C-suite: business leaders who can meticulously detail their market position are often unable to articulate their company's biggest cyber threats with the same clarity.
The boy who cried fire: McLaughlin points to a basic executive blind spot. "Ask any C-suite who their top five competitors are and they answer immediately," he says. "Ask them what the actual cyber risks to their business are, and most can’t get past one word like ransomware or HIPAA, which isn’t a risk at all, it’s a regulation." That lack of clarity feeds alarm fatigue. "When every update from the CISO sounds like the sky is falling, leaders stop listening. If everything is treated as a fire, then nothing is."
To cut through the noise, McLaughlin proposes a simple but powerful framework to help executives understand their own risk: the "CIA Triad". By analyzing the business through this lens—assessing what data needs to be kept secret (Confidentiality), what systems must be available for revenue (Availability), and what information must be accurate (Integrity)—leaders can finally prioritize defenses meaningfully. The framework encourages leaders to identify specific assets—like PII, trade secrets, and vital OT services—moving the conversation past generic buzzwords.
Frameworks, firewalls, fallacies: McLaughlin reframes what a real security program looks like. "A good security program starts with understanding your risk profile based on what your organization actually does. It should clearly answer what matters most, what would be damaged if something goes wrong, and what the consequences would be." Without that grounding, security collapses into a shopping list. "No C-suite talks about risk in those terms, and that’s the problem," he says. "Most just say, 'I’ve got SentinelOne. I’ve got SonicWall. I’m good.'"
A losing hand: He points to the 2023 MGM Resorts breach as proof that tools don’t compensate for broken process and culture. "The breach started with a help desk phone call," he recalls. "An attacker claimed they forgot their password, got past weak challenge questions, reset credentials, changed multifactor authentication, and gained full access." The result was catastrophic. "A single phone call compromised the company and led to more than $120 million in damages. And that number doesn’t include operational downtime or eventual class-action liability."
McLaughlin contrasts the scapegoating that followed SolarWinds with CrowdStrike’s response, where the CEO publicly took ownership of a major failure. The difference, he says, comes down to leadership. "If a company like MGM can be taken down by something that simple, nobody has a chance unless security is truly prioritized," he concludes. "It starts with understanding your specific risks and making deliberate decisions to limit exposure."
