The indictment of the SolarWinds CISO by the Securities and Exchange Commission (SEC) served as a harsh wake-up call to the corporate world.
While we may have seen this movie before with Uber’s CISO, the charges emphasized that regulators are getting tougher on organizations with insufficient security measures, and holding security executives accountable when things go wrong. The era of minimal oversight and superficial compliance in cybersecurity is over.
The enforcement action also demonstrates that the responsibility for maintaining organizational security goes beyond mere professional reputation, with CISOs now facing threats to their liberty if failures happen under their watch. Little surprise, then, that there’s a newfound urgency among security leaders to ensure that cybersecurity strategies are not only effective but demonstrably so.
As cybersecurity companies come under closer scrutiny from regulators and the wider industry, CISOs will be acutely aware of the challenges they face in maintaining transparency around security controls in 2024. With that in mind, here are four trends that are likely to shape CISO practices over the next 12 months.
A new wave of regulations in the U.S. and Europe is setting the stage for more stringent oversight of cybersecurity practices, and CISOs can no longer bury their heads in the sand when it comes to ensuring that security measures are in place throughout the organization.
The SolarWinds case illustrates that regulators expect security statements to be backed by evidence of properly implemented controls. CISOs who fall short here risk reputational, professional and potentially more serious legal consequences. Maintaining transparency about a company’s true security status is key to avoiding material misstatements in 2024 and beyond, lest CISOs fall foul of the increasingly severe penalties that accompany non-compliance.
Incidents impacting large companies like SolarWinds and Uber push security ever higher on the corporate agenda, not to mention placing increased scrutiny on security leaders.
In 2024, it will likely become standard practice for boards to demand briefings on security risks to better understand and proactively manage these challenges. At the same time, CISOs will be expected to document known risks on risk registers, ensuring a clear and documented trail of identified vulnerabilities and their management.
Gaining executive buy-in for dedicated security resources will be critical to meeting rising expectations, and forward-thinking CISOs will turn down roles with insufficient budget or support. Top talent will gravitate toward organizations that take security seriously. Companies that don’t will find themselves lagging dangerously behind.
With increased accountability and the potential for enforcement actions hanging over them, CISOs will want more prestige and independence within their organizations — particularly when it comes to taking command of the protection agenda.
Reporting directly to the CEO, rather than other C-level executives like the CIO or CTO, will give CISOs more independence to implement and manage cybersecurity measures without being scapegoated by other executives if a security incident occurs. This approach also helps ensure that cybersecurity strategies are clear and consistent, avoiding the conflicting directives that can arise from multiple reporting lines.
By automating repetitive tasks and responses, organizations can do more with existing teams, boosting their efficiency even when budget constraints limit their ability to hire new staff. This is critical to recovering from incidents quickly and managing growing alert volumes, especially in the context of the growing cybersecurity skills shortage.
Automation also allows security teams to scale as regulations push for increased transparency, and measure the impact of security programs. This helps them demonstrate their value internally and gain buy-in from senior executives – key for CISOs who need to justify their requests for more budget and resources. By embracing automation, companies can move fast and improve their security posture quickly under tighter reporting expectations.
The past year has seen a shift whereby security failures can now reach the highest levels of the organization – and leaders are taking notice. It’s no longer enough for CISOs to merely implement standard security measures and hope for the best. Instead, they must actively ensure that all proper cybersecurity controls are in place and operating as intended, and be ready to provide evidence to back this up.
Faced with this shift in regulatory and legal expectations, security leaders are, understandably, reevaluating their roles and the risks involved. To shield themselves from the heightened threat of professional, personal and legal consequences, CISOs are advocating for more autonomy, better tooling and a direct line into the CEO’s office.
As we look to 2024, there’s one thing we can be sure of: The role of the CISO will come with increased responsibility — and visibility.