How CISOs Can Contend With Increasing Scrutiny from Regulators

As those responsible for their organization’s cybersecurity defenses, CISOs have been facing extremely high stakes since the mid-1990s, when the role was first created. Advancing threats have made the position increasingly challenging, but it turns out that things could get far worse.

A concatenation of events in 2023 raised the bar, including new SEC reporting rules and a growing trend whereby CISOs are now being held personally responsible for cyber incidents.

Security teams are struggling against growing attack surfaces, with research from TechTarget's Enterprise Strategy Group reporting that third-party connections, IoT networks, and public cloud infrastructure have driven up the attack surface in 62% of organizations.

At the same time, AI and RaaS (Ransomware-as-a-Service) are making cyber attacks both more sophisticated and easier to perpetrate, forcing security into constant firefighting mode.

As team leaders, CISOs already had to set and deliver on cyber strategy, a task made harder at a time when 41% of security teams are understaffed, and 51% are held back by budget constraints. It's no surprise that this pressure results in high levels of stress and burnout. Work-related stress affects 94% of CISOs, and 65% admit that it's compromising their ability to do their jobs.

CISOs are on the hot seat

Now, things are getting even more stressful due to new regulations that hold CISOs personally responsible for security breaches. In December, the SEC introduced new reporting rules that require organizations to report "material" cyber incidents within four business days. While this seems unrealistic — in 2023, the mean time to identify (MTTI) dropped to 204 days from 207 in 2022 — it’s also highly alarming.

A similar ruling is arriving in Europe. This coming fall, the new EU NIS 2 directive, which holds all C-suite executives personally liable for a breach if they are found to be negligent, will become law.

In the meantime, security leaders are personally sustaining the fallout from a recent wave of company-level compliance lapses, including the prosecution of Uber’s CSO in May 2023 and of Solarwinds’ CISO last October.

Understandably, CISO anxiety is heading off the charts. A recent survey found that just 15%  are not worried about their personal liability, and 61% agreed that they wouldn’t sign on to an organization unless they were given insurance to protect them from liability after a successful cyber attack.

Looking beyond insurance, here are a number of things that CISOs can do to proactively protect themselves and their organizations.

Build your own security program, top-down

Establishing an end-to-end blueprint for your security program is essential. This will not only provide a structure for your cybersecurity program but will also prepare you to prevent, detect, and respond to incidents and events should they occur.

Start by forming your organization's policies and processes, including (but not limited to) incident response, business continuity, and risk assessments.

Then, define all the relevant roles and responsibilities, especially those that relate to incident management, as well as communication throughout the team and with the board.

Optimize security operations as much as possible

The first step is to do everything possible to streamline operations, so that your team can be at least somewhat available when exceptional situations arise.

CISOs need to up their cyber risk assessment capabilities using methodologies such as the urgent-important matrix and RICE scoring so they can prioritize the greatest threats and plan mitigation and remediation tasks accordingly.

Automation is another critical operational element. The more that you can automate security and compliance-related tasks, the more you’ll reduce the stress of adhering to regulations and maintain a strong security and compliance posture. This includes preparing evidence for audits, gap analysis, and user access reviews. What’s more, automation will not only boost efficiency but will also provide continuous visibility and monitoring for your security and compliance posture and reduce the risk of being surprised.

Communicate and document

Clear, frequent communication is a vital source of protection.

Update the board, and the CEO directly, with up-to-the-minute data about outstanding security issues, including which security controls you need, their cost, and the potential impact if a breach occurs because they aren’t in place. Make sure to obtain the means to produce fresh security status data and try to avoid the month-old or quarter-old data-based updates. Keep a written record of all your actions, big requests, and important decisions.

You should also create a corporate definition for "materiality," i.e., what should be considered significant to disclose to investors and/or shareholders. Along these lines, it's a good idea to weigh in on your company's cyber insurance policies. Store insurance recommendations along with your written records so as to avoid legal liability for protecting a non-insurable exclusion. 

Prioritize transparency and support

Transparency is another crucial link in your armor, especially when it comes to dealing with regulators. Beyond your written records about decisions and recommendations, you’ll need a system of record for all security incidents, each action you take in response, and why you took that action.

Those 61% of CISOs who won't continue in the role without D&O insurance are on the right track. With so much pressure on their backs, CISOs are right to ask for sufficient remuneration, which adequately reflects their new elevated levels of personal risk.

It's also a good idea to establish mental health resources well before you're in dire need of them and a robust reporting structure for your mental and emotional needs.

CISOs need to manage their increasing burden of risk

Already high levels of existing stress and pressure are being compounded by new regulations that encode personal liability for cyber attacks. Many CISOs are choosing to leave the industry, which will only worsen the skills shortage and increase the difficulty for those who remain.

In order to handle the demands of their role, CISOs need to advocate for their own best interests, as well as doing all they can to protect their organization. At the same time, senior stakeholders who want to hold on to their CISOs should ensure that they have sufficient incentives and, more importantly, support to cope with the burden of risk that they are carrying.

Arik Solomon is the CEO and Co-founder of Cypago.

Related articles: