Recently, I toured the East Coast and met with Fortune 100 chief information security officers (CISOs) in different industries to have frank discussions about cybersecurity and the changing regulatory compliance landscape. These leaders discussed the impacts of significant breaches and the most serious challenges facing them today. As many organizations struggle to keep up with new regulations and simultaneously face hiring challenges, I discovered some shared challenges and experiences from CISOs, regardless of their organization’s size or location.
Federal Regulations and Agencies
CISOs generally have a complex relationship with regulatory agencies. Increasingly, governments are sharing recommendations and creating regulations to build robust cybersecurity strategies. It’s important to establish relationships with federal agencies before experiencing a breach. Relationships with individuals in key agencies for your industry help you understand clearly which agencies to contact in the event of a security incident. Some of the CISOs I spoke to had experienced significant breaches, and those with existing relationships with relevant agencies navigated the response process easily and addressed the incident efficiently and swiftly.
As the regulatory compliance landscape changes, the CISOs agree on the importance of staying current with regulatory requirements. Some regulations require organizations to file disclosures about their cybersecurity practices periodically. The General Data Protection Regulation (GDPR), the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), and the National Credit Union Administration (NCUA) require organizations to disclose information about a material cybersecurity incident within 72 hours, while the Securities and Exchange Commission (SEC) allows 96 hours. The timeline means that robust incident response plans must be in place to make a determination quickly.
Similarly, CISOs anticipate the Cybersecurity Maturity Model Certification (CMMC) will seriously impact prime contractors for Department of Defense contracts because prime contractors are responsible for ensuring that their subcontractors meet the appropriate CMMC level for their work. Many smaller subcontractors need to be more prepared to answer the myriad questions and controls required.
CISOs in public and private industries accept the inevitability of these changes. They are trying to find the balance between putting the right protections in place to meet regulations and being ready to report quickly if a significant incident occurs. Hiring and retaining cybersecurity talent is integral to achieving this balance.
Hiring Challenges and Opportunities
As cybersecurity challenges continue evolving, staff shortages are growing in the workforce. (ISC)2 research showed a workforce gap of 3.4 million cyber professionals worldwide in 2022, even as many organizations face increasing risks, work to comply with new regulatory requirements, and adopt new technologies. Hiring challenges are twofold: finding the right talent is hard, and many organizations seek to increase team diversity.
Despite tech industry layoffs, CISOs still have trouble finding people to fill their open roles. In Florida, however, I discovered that many people moved to the area during the pandemic, making available roles easier to fill there.
To handle the impossibility of getting all the talent they need, the CISOs I spoke to are looking to use more automation. Security teams are inundated with vast amounts of data as the technology landscape changes and new tools emerge. Security leaders are looking for automation to sort through that data and highlight what their teams need to focus on. Everyone wants more artificial intelligence (AI) and machine learning (ML) to make it easier for them to appropriately protect the data, infrastructure, and organizations they are responsible for.
CISOs Role and D&O Insurance
Massive breaches, such as those that exposed the data of over 50 million customers at Uber, are advancing the conversation about the CISO’s role and whether CISOs need directors and officers (D&O) insurance. Uber CISO Joseph Sullivan was ordered to pay a $50,00 fine and complete 200 hours of community service and three years of probation for his role in the 2016 breach. While some in the industry see it as a broader security failure and a cautionary tale for CISOs as it relates to their role among the corporate executive team, others believe Sullivan misrepresented the situation and bore greater responsibility.
These incidents show that the CISO role and reporting relationship with the executive team and the board may need review. Today, CISOs bear significant responsibility for their organizations’ reputation and success, and many believe it is time to require D&O insurance as part of their cybersecurity leadership role, just as the rest of the executive team does.
What’s Next?
As CISOs look ahead, they are heavily concerned with increasing regulations and the need to comply with them. Security leaders need to choose which controls are most important and align them to a compliance framework. This can help them get the budget needed to create an effective cybersecurity program that blends automation, AI, ML, and cybersecurity talent to meet the challenges ahead — preferably without needing that D&O insurance coverage.