Cloud migration expands the CISO role yet again

The CISO role used to be focused primarily on information security — creating and implementing policies to safeguard an organization’s data and IT infrastructure from cybersecurity threats. However, as organizations rapidly migrate to cloud environments, the responsibilities and challenges for CISOs have expanded significantly. The cloud both increases the overall attack surface and introduces new compliance challenges.

Persistent and increasing cyber threats, compounded by increased regulations, threaten organizations’ ability to meet business goals. This requires the integration of security into governance, risk, and compliance (GRC) efforts. Many GRC frameworks already include security controls and best practices, making it imperative for CISOs to play a role in implementing such controls and ensuring compliance.

Cyber disclosure rules change the game

In December 2023, the Securities and Exchange Commission (SEC) adopted new rules to improve and standardize disclosures by public companies regarding cybersecurity risk management, strategy, governance, and incident disclosure.

These changes have given far more power to the SEC, in part by lowering the bar for reporting to encompass material cyber incidents, likely resulting in more investigations and higher fines and penalties on companies. Those companies still operating in on-premises environments will find it far more difficult or possibly even impossible to identify an incident quickly unless monitoring and automation are deployed, and security team members actively review all alerts.

Many companies have a mix of on-premises and cloud deployments, adding further to the attack surface and the complexities of monitoring.

Even for companies that operate primarily in the cloud, detecting and identifying a material incident still poses a significant challenge. Cloud environments are inherently complex due to third-party integrations, multiple layers, and ephemeral environments — each environment has unique characteristics. Most CISOs don’t have visibility into every possible incident because they aren’t the ones looking at alerts, analyzing them, and reviewing log data. With the new requirement to report material cyber incidents within days of determining their significance, organizations and the CISOs charged with protecting them have very little time to put together a disclosure that accurately describes the incident’s material impact (or reasonably likely material impact). The latest SEC rules, echoing PCI-DSS and SOC2 changes, change the role CISOs play within their organizations.

Changing the CISO role and responsibilities

Historically, most CISOs gathered information from their security teams and digested it to provide the board of directors with an overview of security status within the organization. This approach enabled them to talk about risk at a high level and provide relevant answers to the types of questions the boards were asking.

The SEC ruling places a higher level of accountability on CISOs, who are now directly responsible for ensuring that all material cybersecurity incidents are identified, assessed, and reported within the mandated time frame. CISOs must now ensure they can report to the SEC within four business days of determining an incident’s materiality, describing its nature, scope, and potential impact. They must also communicate risk management strategies and incident response plans to ensure the board is well-informed about the organization’s cybersecurity posture.

These changes require a more structured and proactive approach because CISOs must now be aware of compliance status in near real-time, not only to provide all cybersecurity incident data and context to the board, compliance teams, and finance teams, but to ensure they can determine quickly whether an incident has a material impact and therefore must be reported to the SEC.

CISOs who miss making a timely disclosure or have the wrong security and compliance strategy in place can expect to be fined, even if the incident doesn’t turn into a catastrophic cybersecurity event. Boards must be able to trust that CISOs can answer any question related to compliance and security quickly and accurately, and the board themselves must be familiar with cybersecurity concepts, able to understand the risks and ask the right questions.

Changing technology aligns cyber risk with GRC

Proper security has always trailed about a year behind the latest technology, and compliance frameworks lag even further. The result has been a giant gap between technology and compliance.

To minimize that gap, thoughtful CISOs align their cyber risk strategies with GRC frameworks. This enables them and their organizations to adapt to rapid technology changes, evolving regulatory frameworks, and new methods of building and maintaining enterprise networks. This alignment ensures that CISOs can take a holistic approach to risk management to enable them to face sophisticated cyber attackers, an expanding attack surface, and the potential of severe financial losses, reputational damage, and operational disruptions caused by cyber incidents.

The issue remains how CISOs can ensure that they have the information needed to determine whether an incident is material. The best, and perhaps only, way to be prepared to respond with a determination of the materiality of an incident is through technology. Putting critical controls in place, gathering data, and automating the monitoring of these controls by integrating them with the security tech stack enables CISOs to gain a unified view of risk and potential incidents at any point in time, which not only enables them to follow SEC rules but increases their overall resilience to cyber threats.