New cybersecurity rules and regulations offer security leaders a great opportunity to elevate their role at their organizations, boosting security investment, according to speakers at the ISC2 Security Congress 2023.
During the opening address, ISC2 CEO Clar Rosso, highlighted the “tsunami” of laws, regulations and policies that have been passed by governments so far this year. These are global and include the EU’s Cyber Resilience Act and new US Securities and Exchange Commission (SEC) incident reporting requirements.
New cyber regulations focus on a range of areas, including workforce development, incident and vulnerability reporting, and securing AI.
A focus of these initiatives is to shift the burden of cybersecurity from customers to developers, which include organizations profiting from digital technologies, said Rosso.
While such regulations place additional responsibilities on security teams, they also offer a huge opportunity for CISOs to boost their influence at the boardroom level. Rosso believes the recognition of the importance of cybersecurity at government level is an opportunity for the industry.
Business Leaders Under the Spotlight
This message was emphasized by Dr Stephen Kraemer, Enterprise Technologist, CxO CISO at AWS, in a session discussing the impact of the recent incident reporting rules introduced by the SEC.
The rules place new obligations on publicly listed companies to provide details into the material impacts of cyber incidents to investors, as well as their processes for managing cyber risk. Crucially, these rules put business leaders under the spotlight, with organizations obligated to describe the board of directors’ oversight of risks from cybersecurity threats and their role and expertise in assessing and managing material risks.
“Think big, be creative and go after this stuff.”Dr Stephen Kraemer, AWS
This aspect offers an opportunity for security leaders to step up and “be a partner for the board” because those board members will be looking to the company CISO to help them meet these responsibilities, argued Kraemer.
He set out three opportunities CISOs should be leveraging in respect of the regulations:
1. Elevate the CISO Role
Kraemer urged CISOs to “think big and think bold” in respect of pushing their importance to the board. “You might be surprised at what might happen if you stick your neck out there,” he commented.
In the next few years, it is expected many businesses will look to have a cyber expert at the boardroom, and “this could be you.”
A particularly important component of communicating their importance is learning to speak the language of the board. This can be obtained by training courses, which are provided by bodies like the Digital Directors Network, and finding a mentor or coach who can help you develop those skills.
2. Advocate Security Transformation
The new SEC requirements is the right time for CISOs to push for a genuine security culture at the organization, where security is everyone’s responsibility. They should also strongly advocate for approaches like zero trust and enhanced cloud security architecture, added Kraemer.
3. Build Relationships with the Rest of the Organization
In addition to the board, Kraemer said security leaders must develop closer relationships with other internal departments. He noted that the new SEC rules require the establishment of incident materiality, such as the financial and reputational impacts. Calculating such impacts requires expertise beyond security teams, such as legal and finance. Such relationships can be harnessed further to develop a stronger security culture across the organization.
Concluding, Kraemer advised CISOs to “think big, be creative and go after this stuff.”