The Security and Exchange Commission (SEC) has sent letters to Chief Information Security Officers (CISOs) and other executives warning of pending legal action over data breaches that occurred at their companies.

SolarWinds announced that its CISO and Chief Financial Officer were targets of Wells Notices, a notification that the SEC intends to recommend enforcement action against the individual for violating securities rules. This and other recent targeting of security officials may be sending a chilling message to cybersecurity officials across industries.

Responsibility and accountability are important for CISOs and other security leaders at companies and negligence is not acceptable. That said, we do need to find the right balance. Prosecuting CISOs and threatening potential prison time and financial penalties is a new development that may impact whether anyone would want to fill those positions at a time when we have over 663,000 current open cybersecurity jobs and only 1,129,000 cybersecurity workers currently employed in the U.S.

Overseeing all aspects of cybersecurity in a large organization is challenging. Managing employees across various cybersecurity areas and knowing what’s happening across the enterprise is daunting. Add on top of that keeping up to date on the latest threats and attacks and making sure the organization is prepared to combat them can lead to long days and sleepless nights. Now these executives are also going to have to worry about financial fines and prison time if their systems are attacked.

This is not to say that CISOs should be without repercussions, particularly if an individual is negligent. However, the SEC now better hove some amazing evidence to warrant taking it to this point. Only time will tell us if they are getting this delicate balance right.