From compliance with more rigorous cybersecurity regulations to navigating the shifting complexities of cyber liability insurance, CISOs and other cybersecurity leaders are gaining a growing number of non-technical responsibilities. At SafeBreach’s 2023 Validate Summit—an event that brings security experts together to discuss challenges and best practices in proactive cybersecurity—we heard from a panel of top security leaders and advisors on what’s required to keep up with the changing regulatory landscape.
In this installment of our Voices from Validate blog series, we cover the insights and experiences of our panel members:
The role of the CISO has undergone some significant changes in the past several years. As boards and executive leadership become more concerned about their organizations’ cybersecurity risk, CISOs have had to take on more business responsibilities. One such responsibility is compliance. While CISOs have always had to be concerned with making sure that the organization is compliant with cybersecurity regulations, it is now within their duty to ensure that the board and other stakeholders are prepared for the implications of each new standard and regulation that emerges. With the rapid increase in regulation across verticals, it’s no simple task.
Beyond that, our panelists agreed that compliance is only the beginning—that the real issues to tackle are resilience and security hygiene, which go much further than new regulations require. Furthermore, because each organization and each network is different, compliance often does not equate to security. There is no one set of standards that fits all.
“Compliance has to be personal. It cannot be a checkbox.”
– Joyce Hunter, Executive Director at ICIT
Joyce Hunter, Executive Director at ICIT, emphasizes the fact that buy-in from leaders across the business is essential. “It has to be personal from the board level all the way down. Somebody has to explain to the CEOs and the CIOs, what it means and what it means to them.” Not only that, Hunter continues, but it’s essential to convey to the board and other non-technical leaders why they should care. This personal approach gives CISOs a better chance of securing the necessary resources and collaboration needed to implement and evolve the cybersecurity program.
Beth-Anne Bygum, CISO at Q2, explains that the organization and its leadership can begin to anticipate cybersecurityregulation even before it’s announced. “We know we are in a connected environment. And so when you see the regulations start to be enacted in other countries, you know that it’s going to roll [over to the US]. And though we see the SEC and the FTC starting to issue very specific fines and warnings, the legislation and the regulation regulatory piece is going to follow.
Andrzej Cetnarski, Founder and CEO at Cyber Nation Central, stresses the need for organizational understanding from the top down. “When you read the national cyber strategy, you’ll hear a lot about grading the industry on the technologies that we’re developing—cybersecurity by design technologies. And that’s great. But when I speak to areas of the government that deal with that strategy, my comment constantly is: start with cybersecurity by design.” The key to this, Cetnarski says, is making sure that the board and C-Suite understand what the risks are, both personally and for the organization. And then they must ensure that proper precautions are taken throughout the organization. “So that when CISOs protect the infrastructure, and tell employees what they should be doing, that acuity from the other side of the employee exists, to know how to execute on that and actually have a chance of making those programs successful.”
When it comes to the regulations themselves, Hunter says to keep it simple. “The weakest link in any organization is the person that’s ignorant, that does not know. And the people that do not know right now are the C-suite and the board.” Echoing her advice about making regulation personal, she explains that “nobody wants to know what nobody wants to admit to ignorance. So you can just share with them one on one, ‘hey, this is what’s coming. This is what it means to you,’ and I’m going back to that question, ‘and this is why you should care.’”
To address that last point, Cetnarski says that CISOs must start paying attention to how the different stakeholders of the board and C-suite have to respond to the onslaught of regulation. For example, “you’ve got your chief legal officer, who all of a sudden has a job that’s ballooning, every state is coming up with its own privacy laws.” It’s critical that the CISO starts translating and decentralizing cybersecurity into other roles, such as “the head of risk on the board, head of head of finance, the CFO, etc.”
“Data is the new endpoint,” says Bygum, “We are being held accountable to show and demonstrate consistent hygiene on the defense of the data. So as we talk about wrapping security controls around the endpoint, I would beg to add a more aggressive conversation, because data is the new endpoint, and it’s ubiquitous, and it’s traversing, and it’s moving.” She explains that existing frameworks and methodologies, including those leveraged in regulations, only go so far. “I want to know about your backlog. I want to know about your defect and code management. I want to know about how your shift left program is going. That will give me an indication if your hygiene practice is going to defend the perimeter and attacks.”
“We’re defending at the edge. Data is the new endpoint.”
– Beth-Anne Bygum, CISO at Q2
Cetnarski agrees. “As I always say, you’ve got to do what’s right by regulators, but it’s never going to keep your breach deterrent. It’s never going to allow your board or C suite to know what they should be doing.” What we should really be keeping up with, he explains, is what he calls the “hacker innovation curve—the real world attacks that threaten the organization. “That’s the only compliance that matters. Because once we’re complying with that curve, cool, then we have a chance to right?” In interfacing with the government, organizations must assure that they are holding to the standards required, but while they are a good baseline, those standards are the bare minimum. “What we actually care about is, how do we protect our customers, our endpoints, our data endpoints?”
In this changing regulatory environment, one thing that has become increasingly important is cyber liability insurance. “There was a recent study that showed that 80% of companies who hold cyber insurance have actually exercised their policies,” says Avishai Avivi, CISO at Safebreach. However, Avivi explains, he is struck by the fact that these insurance policies are behind the curve when it comes to understanding cyber risk. “They have a checklist,” he explains, echoing the earlier point about cybersecurity not being one-size fits all. “So they’re not getting it. And the reality of it is I think sooner rather than later, we’re going to see cyber insurance companies saying, ‘okay, prove to me that you are testing and validating your security controls beyond, “Do you have a DLP? Check. Do you have a firewall? Check.’ What does that mean? Is it actually configured to work the way it’s supposed to?”
“Sooner rather than later, we’re going to see cyber insurance companies saying, ‘okay, prove to me that you are testing and validating your security controls.’”
– Avishai Avivi, CISO at SafeBreach
Bygum explains that because of supply chain security risks, organizations must also set expectations around liability with their vendors. “When I sit down with a vendor that’s underperforming, I have a very active conversation with the Chief Technology Officer. And I just say, I cannot carry this risk by myself, I need you to remediate [the security issues], to show me the plan, and I need for you to carry another $5 million in cyber liability. We have to be very active in how we use this instrument, because the residual risk is spreading.” Because of increased connectivity, there is “a very ubiquitous movement of data. So when you start to lay all this out, our approach to using those insurance vehicles needs to change.”
“If you’re the board, you need to start looking at cyber insurance as something that you do need to have. But it’s never going to pay out on much,” Cetnarski explains. The question then becomes, how much is covered when compared to the cost of a breach?
“The average cost of breach these days is something like 10 million dollars. So for five, 5-billion-plus revenue companies, we are talking about significantly more. There’s a great study out there that says that’s just the above-the-surface cost of a breach. The below-the-surface costs—IP theft, customer loss, contract, revenue loss, reputational loss to the trade—can be up to 27 times that amount. So whatever you think you’re going to pay in a breach, multiply that by up to 27 times, and then you’ll see what the real cost is.” This also doesn’t take into account psychological costs, operational shutdown costs, and the long tail of dealing with the breach and data loss itself.
This cost and the limits of cyber liability insurance once again underscore that importance of making sure that board understands the critical need to go beyond the insurance company’s checklist and ensuring that proper security hygiene is practiced throughout the organization.
Cybersecurity regulation and liability insurance may be mechanisms to ensure a baseline level of security for businesses and enterprises, but requirements in these areas are well behind the sophistication of real-world attacks. While the CISOs role has expanded to include preparing the executive board and C-suite for these requirements, it is also incumbent upon them to truly impress upon them the importance of resilience beyond regulation.
While a large part of this effort must involve ensuring that existing security controls are configured securely and functioning properly, it also requires security hygiene practices that must be implemented and maintained at all levels of the organization; thus, leaders of all business functions need to understand the importance of it.
With new cybersecurity reporting and disclosure requirements from the U.S. Securities and Exchange Commission (SEC) set to take effect on Dec. 15, 2023, we are already seeing a shift in how the government bodies are trying to hold businesses and enterprises accountable for gaps in their security, regardless of whether or not they meet other standards.
As government cybersecurity organizations and state and federal legislatures continue to address the evolving threats in this more complex landscape, any organization focusing on their resilience and leading with security by design should be prepared for any new legal requirement that may arise.
Interested in seeing how your organization can continually validate security controls and increase cyber resilience? Learn more about breach and attack simulation (BAS) or speak to one of our experts.