Four ways CISOs can navigate today’s legal and regulatory minefields

The role of chief information security officer (CISO) has never been more challenging or scrutinized. Escalating cyber threats, tightening regulations, and increasing responsibilities place CISOs at the front lines of digital defense and corporate accountability.

Take the high-profile case from last October when the U.S. Securities and Exchange Commission (SEC) charged SolarWinds and its CISO with misleading investors about cybersecurity practices and known risks. The case highlights the company's oversights and also underscored a worrying trend: the growing personal accountability of CISOs in matters of security failures and disclosures.

Such legal actions have understandably alarmed the CISO community, signaling a shift where failure in digital safeguarding could lead to direct repercussions for cyber executives. The conviction of former Uber Chief Security Officer Joseph Sullivan and imposition of fines further intensifies these fears, spotlighting the legal and potential financial stakes for failing to protect or adequately report on cybersecurity matters.

Amid this backdrop, new SEC cybersecurity disclosure requirements introduced in late 2023 add another layer of complexity. These rules mandate more detailed disclosures, putting additional pressure on CISOs to fortify defenses and also meticulously document their cybersecurity strategies and breaches.

Unintended consequences

As the regulatory landscape tightens, CISOs are navigating a precarious balancing act. Their primary job—securing the organization—has become intertwined with managing personal liability. This dual burden can lead to unintended consequences.

For starters, there's motivation and incentive for self-preservation post-breach, creating a situation where quick fixes may get prioritized over collaborative, long-term improvements to prevent future incidents. This could stifle the open sharing of information that’s vital for advancing cybersecurity knowledge.

Second, with more at stake, the incentive for employees to report discrepancies under laws like the False Claims Act has increased. While potentially improving compliance, this could foster an environment of mistrust, undermining teamwork necessary for effective cybersecurity.

These factors are rendering the CISO role less appealing, deterring skilled professionals from the field and potentially weakening the industry’s innovation and protective capabilities over time.

SEC regs further complicate matters

The new SEC requirements are another hurdle, demanding that CISOs defend their organizations from cyber threats and also navigate complex regulatory waters that require thorough reporting and compliance.

Operating in this context, it’s crucial for CISOs to forge stronger alignments with boards and CEOs. CISOs now need the full support and better communications with the top to navigate these turbulent waters. Companies will need to do the following:

The role of CISOs continues to evolve, and now requires adapting to new security challenges and receiving unequivocal support from the highest levels of leadership. By proactively engaging with these challenges, boards and CEOs can help CISOs focus on what they do best: protecting their organizations, thereby fostering a more resilient corporate infrastructure and aligning with the changing regulatory landscape.

Yoran Sirkis, chief executive officer, Seemplicity