Cloud migration expands the role of the CISO even further

Historically, the CISO role focused primarily on information security – creating and implementing policies to protect an organization’s data and IT infrastructure from cybersecurity threats. However, as organizations rapidly migrate to cloud environments, the responsibilities and challenges facing CISOs have expanded significantly. Not only does the cloud increase the overall attack surface, but it also brings with it new compliance challenges.

Persistent and increasing cyber threats, exacerbated by increasing regulations, are jeopardizing the ability of organizations to achieve their business objectives. This requires the integration of security into governance, risk and compliance (GRC) efforts. Many GRC frameworks already include security controls and best practices, so it is imperative that CISOs play a role in implementing such controls and ensuring compliance.

Disclosure rules in cyberspace change the rules of the game

In December 2023, the Securities and Exchange Commission (SEC) adopted new rules to improve and standardize publicly traded companies’ disclosures regarding cybersecurity risk management, strategy, governance, and incident disclosure.

These changes have given the SEC significantly more power, including by lowering the reporting requirement for significant cyber incidents, which will likely result in more investigations and higher fines and penalties for companies. For companies still operating in on-premises environments, it will be far more difficult, or possibly even impossible, to quickly identify an incident unless monitoring and automation are used and security team members actively review all alerts.

Many organizations use a mix of on-premises and cloud deployments, which further increases the attack surface and makes monitoring more complex.

Even for organizations that operate primarily in the cloud, detecting and identifying a material incident still presents a significant challenge. Cloud environments are inherently complex due to third-party integrations, multiple layers, and ephemeral environments—each environment has unique characteristics. Most CISOs do not have visibility into every possible incident because they are not the ones looking at alerts, analyzing them, and reviewing log data. With the new requirement to report material cyber incidents within days of determining their significance, organizations and the CISOs tasked with protecting them have very little time to put together a disclosure that accurately describes the material impact of the incident (or the reasonably likely material impact). The latest SEC rules, which reflect the changes to PCI-DSS and SOC2, are changing the role of CISOs in their organizations.

Change in the role and responsibilities of the CISO

In the past, most CISOs collected information from their security teams and processed it to provide the board with an overview of the security status within the organization. This approach enabled them to talk about risk at a high level and provide relevant answers to the questions the board was asking.

The SEC decision places greater responsibility on CISOs. They are now directly responsible for ensuring that all material cybersecurity incidents are identified, assessed and reported within the prescribed timeframe. CISOs must now ensure that they can report to the SEC within four business days of determining the materiality of an incident, describing its nature, scope and potential impact. They must also communicate risk management strategies and incident response plans to ensure the board is well informed about the company’s cybersecurity posture.

These changes require a more structured and proactive approach, as CISOs must now be aware of compliance status in near real-time, not only to provide the board, compliance teams and finance teams with all the data and context surrounding cybersecurity incidents, but also to ensure they can quickly determine whether an incident has a material impact and therefore needs to be reported to the SEC.

CISOs who fail to make timely disclosures or who have the wrong security and compliance strategy face financial penalties, even if the incident does not become a catastrophic cybersecurity event. Boards must be confident that CISOs can answer any questions about compliance and security quickly and accurately. In addition, boards themselves must be familiar with cybersecurity concepts, understand the risks, and be able to ask the right questions.

Technological change brings cyber risks and GRC into line

Proper security has always lagged about a year behind the latest technology, and compliance frameworks have lagged even further behind. The result has been a huge gap between technology and compliance.

To minimize this gap, prudent CISOs are aligning their cyber risk strategies with GRC frameworks. This enables them and their organizations to adapt to rapid technological changes, evolving regulatory environments, and new ways of building and maintaining enterprise networks. This alignment ensures that CISOs can take a holistic approach to risk management to counter sophisticated cyber attackers, a growing attack surface, and the potential for severe financial loss, reputational damage, and business disruption from cyber incidents.

The question remains, how can CISOs ensure they have the information they need to determine whether an incident is material? The best, and perhaps only, way to be prepared to determine the materiality of an incident is to leverage technology. By implementing critical controls, collecting data, and automating the monitoring of those controls by integrating them into the security technology stack, CISOs can have a unified view of risks and potential incidents at all times. This not only helps them comply with SEC rules, but also increases their overall resilience to cyber threats.