In a recent tour along the East Coast, Fortune 100 chief information security officers (CISOs) from various industries gathered to discuss the ever-changing landscape of cybersecurity and regulatory compliance. These CISOs, regardless of the size or location of their organizations, faced similar challenges and shared experiences, shedding light on the most pressing issues in the field.
One significant factor that emerged from these discussions was the complex relationship between CISOs and regulatory agencies. Governments worldwide are increasingly sharing recommendations and implementing regulations to strengthen cybersecurity strategies. To navigate this landscape effectively, it is crucial for CISOs to establish relationships with relevant federal agencies before experiencing a breach. By connecting with individuals in key agencies for their respective industries, CISOs can clearly identify whom to contact in the event of a security incident. Those CISOs who had existing relationships with these agencies found it easier to navigate the response process, addressing the incident quickly and efficiently.
Staying current with regulatory requirements is another shared concern among CISOs. Some regulations necessitate organizations to periodically disclose information about their cybersecurity practices. Notable examples include the General Data Protection Regulation (GDPR), the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), and the National Credit Union Administration (NCUA), which demand organizations to disclose information about any material cybersecurity incident within 72 hours. The Securities and Exchange Commission (SEC) allows organizations 96 hours for such disclosures. This timeline highlights the importance of having robust incident response plans in place to make quick determinations.
Additionally, CISOs anticipate that the Cybersecurity Maturity Model Certification (CMMC) will have a significant impact on prime contractors for Department of Defense contracts. These contractors are responsible for ensuring that their subcontractors meet the appropriate CMMC level for their work. Smaller subcontractors need to be prepared to meet the myriad questions and controls required for compliance.
CISOs in both public and private sectors acknowledge the inevitability of these changes. They strive to strike a balance between implementing the necessary protections to meet regulations and being ready to report promptly in the event of a significant incident. However, hiring and retaining cybersecurity talent play a crucial role in achieving this balance.
As cybersecurity challenges continue to evolve, organizations face a growing shortage of qualified professionals. Research conducted by (ISC)² revealed a global workforce gap of 3.4 million cyber professionals in 2022. This shortage poses a challenge for CISOs, who not only struggle to find the right talent but also seek to increase diversity within their teams.
Despite recent layoffs in the tech industry, CISOs still face difficulties in filling their open roles. Interestingly, in Florida, many people relocated during the pandemic, making available roles relatively easier to fill in that area. To cope with the shortage of talent, CISOs are exploring the use of automation. The rapid development and emergence of new technologies create vast amounts of data that security teams must sift through. Automation tools can assist in sorting through this data and highlighting the areas that require attention. Many CISOs look to leverage artificial intelligence (AI) and machine learning (ML) to improve their organizations’ ability to protect data, infrastructure, and overall security.
The high-profile breaches that exposed the data of millions of customers, such as the one experienced by Uber, have sparked discussions about the role of CISOs and the need for directors and officers (D&O) insurance. In the case of the Uber breach, the company’s former CISO, Joseph Sullivan, faced penalties and probation. This incident prompts a reconsideration of the CISO’s role within the executive team and the board. Today, CISOs bear significant responsibility for their organizations’ reputation and success, leading to calls for the inclusion of D&O insurance as part of their cybersecurity leadership role, just as it is required for other executives.
Looking ahead, CISOs express concern about the increasing regulations and the challenges associated with compliance. To overcome these obstacles, security leaders must prioritize key controls and align them with a compliance framework. This approach not only helps secure the budget necessary to establish an effective cybersecurity program but also encourages the integration of automation, AI, ML, and cybersecurity talent to face future challenges. Ideally, this proactive approach can mitigate the need for D&O insurance coverage and potentially avert costly security incidents.