Why CEOs Will Pay for the Next Breach
Why CEOs Will Pay for the Next Breach
https://www.cybersecurity-insiders.com/why-ceos-will-pay-for-the-next-breach/
Publish Date: 2026-07-10 03:21:00
Source Domain: www.cybersecurity-insiders.com
Last December, Park Dae-jun, the chief executive of Coupang’s South Korean business, resigned. A data breach had exposed the personal data of nearly 34 million customers, almost its entire user base. Park said he was stepping down to accept “grave responsibility” for the breach.
His resignation followed South Korean government investigators discovering that no one had pulled off a never-before-seen, impossible-to-stop attack. A former engineer who knew the system’s weaknesses walked back in through a virtual door the company forgot to close. Investigators called it a management failure, not a technical one. The blame fell on the CEO, not the CISO.
In other words, someone at the top made decisions, or failed to make them, that left millions of people exposed. Boards are starting to connect those dots, and they are looking higher up the org chart.
Misplaced Blame
For years, business leaders pointed at the CISO when something went wrong. CISOs own the security program, so they own the outcome. The problem with that reasoning is that they don’t own the decisions that actually determine whether an organization is secure.
CISOs don’t set the budget. They don’t decide how much risk the business is willing to accept. They can’t force other business units to comply with security policies when those units have different priorities. They present the potential risk and how to mitigate it to the board, then leave it to leadership to decide the next course of action.
Cyber outcomes reflect those decisions, which means accountability has to follow the decision-making power. Underinvesting in security is a leadership choice, not a CISO failure. And in most organizations, the person holding that decision-making power is the CEO.
Why the Reckoning Is Happening Now
Boards didn’t use to see a breach as their problem. That’s changing as the financial and reputational damage becomes too big to put on IT’s shoulders. A breach that…