The role of chief information security officer (CISO) has never been more challenging or scrutinized. Escalating cyber threats, tightening regulations, and increasing responsibilities place CISOs at the front lines of digital defense and corporate accountability.
Take the high-profile case from last October when the U.S. Securities and Exchange Commission (SEC) charged SolarWinds and its CISO with misleading investors about cybersecurity practices and known risks. The case highlights the company's oversights and also underscored a worrying trend: the growing personal accountability of CISOs in matters of security failures and disclosures.
Such legal actions have understandably alarmed the CISO community, signaling a shift where failure in digital safeguarding could lead to direct repercussions for cyber executives. The conviction of former Uber Chief Security Officer Joseph Sullivan and imposition of fines further intensifies these fears, spotlighting the legal and potential financial stakes for failing to protect or adequately report on cybersecurity matters.
Amid this backdrop, new SEC cybersecurity disclosure requirements introduced in late 2023 add another layer of complexity. These rules mandate more detailed disclosures, putting additional pressure on CISOs to fortify defenses and also meticulously document their cybersecurity strategies and breaches.
Unintended consequences
As the regulatory landscape tightens, CISOs are navigating a precarious balancing act. Their primary job—securing the organization—has become intertwined with managing personal liability. This dual burden can lead to unintended consequences.
For starters, there's motivation and incentive for self-preservation post-breach, creating a situation where quick fixes may get prioritized over collaborative, long-term improvements to prevent future incidents. This could stifle the open sharing of information that’s vital for advancing cybersecurity knowledge.
Second, with more at stake, the incentive for employees to report discrepancies under laws like the False Claims Act has increased. While potentially improving compliance, this could foster an environment of mistrust, undermining teamwork necessary for effective cybersecurity.
These factors are rendering the CISO role less appealing, deterring skilled professionals from the field and potentially weakening the industry’s innovation and protective capabilities over time.
SEC regs further complicate matters
The new SEC requirements are another hurdle, demanding that CISOs defend their organizations from cyber threats and also navigate complex regulatory waters that require thorough reporting and compliance.
Operating in this context, it’s crucial for CISOs to forge stronger alignments with boards and CEOs. CISOs now need the full support and better communications with the top to navigate these turbulent waters. Companies will need to do the following:
- Establish open lines of communication: It’s vital that CISOs have a direct channel to discuss cybersecurity risks and strategies with top management.
- Deliver adequate resources: In times where the mantra has been "do more with less," companies must ensure sufficient budget and resources for security. Luckily, according to our research 96% of respondents say their budget for security products grew in the last year, growing by an average of 22%.
- Offer new reporting mechanisms: With stringent reporting requirements, it’s crucial to establish protocols that facilitate over-reporting to ensure transparency.
- Incorporate security into the corporate culture: Security must be everyone's responsibility. Cultivating a culture that prioritizes and understands cybersecurity can significantly reduce internal threats.
The role of CISOs continues to evolve, and now requires adapting to new security challenges and receiving unequivocal support from the highest levels of leadership. By proactively engaging with these challenges, boards and CEOs can help CISOs focus on what they do best: protecting their organizations, thereby fostering a more resilient corporate infrastructure and aligning with the changing regulatory landscape.
Yoran Sirkis, chief executive officer, Seemplicity
