CISOs Tackle Compliance With Cyber Guidelines

The growing volume of cybersecurity compliance regulations is having an impact on the way chief information security officers and other IT security leaders strategize and allocate resources.

States continue to emulate the EU's General Data Protection Regulation (GDPR), while California continues to be the bellwether state with its introduction of the California Consumer Privacy Act (CCPA).

The federal government is also leaning in on vulnerability management with an emphasis on software -- here the focus is on knowing and managing risks associated with an organization's software bill of materials.

These reporting and disclosure requirements are forcing CISOs to pull back the curtain and expose exactly how they are managing their cyber risk and dealing with cyber incidents.

Understanding Security Dynamics

Operationally, CISOs will need to become increasingly involved with the organization as a whole -- not just the IT and security teams -- to understand the company’s overall security dynamics.

“This is a much more resource-intensive process, but necessary until companies find sustainable footing in the new regulatory landscape,” Tom Kennedy, vice president of Axonius Federal Systems, explains via email.

He points to the SEC disclosure mandate, which requires registrants to disclose “material cybersecurity incidents”, as a great example of how private companies are struggling to comply.

Related:Why a Chief Cyber Resilience Officer is Essential in 2024

From his perspective, the root problem is a lack of clarity within the mandate of what constitutes a “material” breach, and where the minimum bar should be set when it comes to a company’s security posture.

“As a result, we’ve seen a large variety in companies’ recent cyber incident disclosures, including both the frequency, level of detail, and even timing,” he says.

He added it is this lack of clarity that can make it difficult for companies within different sectors to know if they are compliant.

“The first step in fortifying your security posture is knowing what your full attack surface is -- you cannot protect what you don’t know about,” Kennedy says. “CISOs and their teams must be aware of all systems in their network -- both benign and active -- understand how they work together, what vulnerabilities they may have.”

Once that baseline is set, CISOs can make much more informed decisions and can triage their security posture.

“It will also allow CISOs to build their cyber resiliency in a sustainable way with more accurate tabletop exercises and realistic mitigation plans,” he says.

Investing in Additional Resources

Related:A Security Culture: Top Priorities for CISOs and their Teams

John Allen, vice president of cyber risk and compliance at Darktrace, noted where the requirements pertain to cybersecurity risk management and governance practices, larger organizations, and those operating in regulated industries likely have a head start.

They typically already have structures in place that are either performing the desired activities or which can take them on.

“While every in-scope organization should have capabilities around risk, smaller organizations and organizations operating in less regulated industries may have to invest in additional resources to bring their cybersecurity risk management and governance up to the appropriate level,” he says via email.

He advises that, when possible, CISOs should incorporate new compliance efforts into existing work their teams are already performing.

“Compliance can be the focal point for funding requests and net new capabilities, but to a large degree the requirements for compliance should be things that an organization is already doing albeit maybe not to the level required,” he says.

From his perspective, this heightened focus on regulatory compliance is a clear opportunity for CISOs to improve the overall security posture of their organizations.

Related:Sign Up for InformationWeek's New Cyber Resilience Newsletter

“However, they should bear in mind that simply being compliant is not the goal, but rather a way to showcase the importance of improving cyber resilience,” he says.

Given the prevalence of emerging threats and their evolving businesses, CISOs should frequently reassess their needs and capabilities across cyber resilience to ensure their organization is secure against a challenging cyber landscape.   

Priorities Derive from Risk Assessments  

Matt Hillary, vice president of security and CISO at Drata, explains every organization is different, so the focus of where they should start will generally also be different.

“However, many commonalities exist between organizations when identifying the objectives for their respective security programs,” he says.

These areas include such things as instantiating a strong application security program, operating a capable security operations, detection and response program, operating a security compliance program, otherwise known as a governance, risk, and compliance (GRC), as well as operating a capable IT and corporate security program.

“In all cases, the priority of their objectives will be derived from their own risk assessments,” Hillary says. “The highest risks identified at their respective organizations will inform what should be at the top of their list when evaluating and fortifying their organization’s security posture.”