Why CISOs Must Think Clearly Amid Regulatory Chaos

COMMENTARY
In the high-stakes world of cybersecurity, the ground is shifting beneath the feet of those charged with protecting our digital infrastructure. First came the new Securities and Exchange Commission (SEC) rules and lawsuits related to cybersecurity. More recently, a US Supreme Court ruling promises to reshape the regulatory landscape, compelling federal officials to rethink their approach to cyber governance.  

Yet amid this whirlwind of change that has descended on the industry, it’s critical for chief information security officers (CISOs) to remain steadfast and not be deterred — or discouraged — by this shift.  

New public policies changing the field require security professionals to stay abreast of the regulatory landscape. More changes are undoubtedly on the horizon. But through all the turbulence, the CISO’s role remains unchanged: a vital player in the team sport of safeguarding an organization’s data and networks.  

Therefore, my message, drawn from decades in the security field, resonates with the stiff-upper-lip slogan of Britain in the run-up to World War II: Keep calm and carry on.  

A Regulatory Tsunami

The SEC’s rules went into effect last December. Under the new rules, public companies must report any cyber incidents within four business days of determining that it was a material event. The SEC also requires that public companies disclose their strategies for handling cybersecurity risks.  

Those in the security world apprehensive about these anticipated changes became downright frightened when the SEC — even before its new rules went into effect — sued a company, SolarWinds, that had been going so far as to single out its CISO in its filings. Just weeks before its new cybersecurity laws were set to go into effect, the agency was sending a clear message to the country’s CISOs: Complacency is no longer an option.  

When in July a federal judge dismissed most of the SEC’s case against SolarWinds and its CISO you could almost hear the sigh of relief among security professionals across the land.  

But the judge simply confirmed what those of us in the cybersecurity field already understood: Holding a CISO personally liable for a cyberattack won’t make systems more secure. While security professionals play a critical role in protecting a company, they cannot do so effectively without the collaboration and support of others. CISOs often have only partial visibility into an organization’s attack surface. That, of course, is a serious impediment to conducting a complete risk assessment.  

To be clear, legislation can play a role in helping CISOs enhance an organization’s defenses. The Food and Drug Administration’s (FDA’s) implementation of cybersecurity requirements for medical devices illustrates this well. Those regulations empowered CISOs to join the conversation and secure the resources needed to safeguard additional areas of their organizations. 

The SEC’s newest ruling provides a similar opportunity — and long overdue change — for today’s CISOs to be more involved in an organization’s fuller set of technology decisions. 

A Collective Responsibility 

At their core, CISOs are truth sayers — akin to an internal audit committee that assesses risks and makes recommendations to improve an organization’s defenses and internal controls.  

Ultimately, though, it’s the board and a company’s top executives who set policy and decide what to disclose in public filings. CISOs can and should be a counselor for this group effort because they have the understanding of security risk. And yet, the advice they can offer is limited if they don’t have full visibility into an organization’s technology stack. 

Many oversee a company’s IT system, but not the products the company sells. That’s crucial when it comes to data-dependent systems and devices that can provide network-access targets to cyber criminals. Those might include medical devices, or sensors and other Internet of Things endpoints used in manufacturing lines, electric grids, and other critical physical infrastructure.  

In short: A company’s defenses are only as strong as the board and its top executives allow it to be. 

And if there is a breach, as in the case of SolarWinds? CISOs do not determine the materiality of a cybersecurity incident; a company’s top executives and its board make that call. The CISO’s responsibilities in that scenario involves responding to the incident and conducting the follow-up forensics required to help minimize or avoid future incidents.  

Even before the SEC got involved, though, liability was an underlying concern among security officers. Those whose job it is to protect our data systems invariably feel responsible when something goes wrong, whatever a federal agency might say.  

Ours is a business in which thwarting a bad actor 99 times will not make any difference if an intruder manages to breach defenses on the 100th try. That’s the burden that comes with the CISO title, and that’s why I’ve always recommended — long before the SEC’s new transparency rules — that a CISO understand the complex threat landscape as well as the evolving regulatory environment.  

The Chevron Decision: A New Layer of Complexity

For cybersecurity professionals, the legal move potentially more significant than the dismissal of the SolarWinds suit was the Supreme Court’s decision in June to reverse the so-called Chevron doctrine. The Chevron doctrine, established by a previous case in 1984, required the courts to defer to a federal agency’s reasonable interpretation of ambiguous statutes.  

Now, the wisdom of agencies — whether the SEC or other bodies — is no longer assumed. The overturning of this decades-old Chevron precedent has created uncertainty around the enforcement of cybersecurity regulations, making it even potentially harder for CISOs to navigate the regulatory landscape.  

Even as the rule book may be in flux, though, the professional mission of the CISO remains unchanged: protecting their organization in a world of constant, continually evolving threats. That requires clear thinking and the ability to keep one’s head amid chaos. 

In other words: Keep calm and carry on.