How organizations can save CISOs amidst increasing federal regulations

In an effort to bolster data security and privacy practices amidst increasing cyberattacks, new data breach reporting rules enforced by the Federal Trade Commission (FTC) and Securities and Exchange Commission (SEC) have taken effect for various organizations and financial institutions. Since May 13, 2024, non-banking financial institutions (including mortgage brokers, payday lenders and tax preparation firms) must report data breaches to the FTC within 30 days of discovery. This new mandate, which is part of the FTC’s Safeguards Rule, expands the breach notification requirements to a broader range of financial entities not overseen by the SEC. Furthermore, companies with a public float under $250 million or annual revenues under $100 million were required to comply with the SEC’s new cybersecurity incident reporting rules by June 15 — aligning their disclosure obligations with those of larger corporations.

While these rulings mark a significant step towards enhancing transparency and accountability in data breach reporting, they squarely put CISOs in the hot seat, compounding the challenges they’re already facing to protect their organization. Burdened by being held solely responsible for breaches while facing new cyber threats, shrinking budgets and a growing skills gap, our security leaders are in desperate need of a lifeline. How can an organization save its CISO? It starts with these four key strategies.

1. Encourage collaboration and shared responsibility

First is creating an environment of shared responsibility by holding executive leaders accountable for protecting against security risks. While CISOs do have a responsibility to protect customer data and ensure continuity of operations, these new regulations are making CISOs feel like scapegoats. Not only do they have their reputation at stake, but now they have to think about monetary fines and jail time. To address this, organizations must establish policies that hold other executive leaders accountable for following cybersecurity practices and incident response measures. This approach fosters a culture of shared responsibility across the organization, ensuring that business risk isn’t resting entirely on the CISO’s shoulders. Additionally, organizations must promote industry cooperation through Information Sharing and Analysis Centers (ISACs) and shared intelligence, and common frameworks to ensure positive outcomes over sophisticated adversaries weaponizing advancing technologies like AI.

2. The importance of balance

Gartner reports regulatory pressure and attack surface expansion will result in almost half of a CISO’s responsibilities expanding beyond cybersecurity by 2027. This is a clear indication that CISOs need a better balance so they have time to focus on the most pressing matters. Effective cross-department collaboration helps teams outside of security understand and enforce standardized processes for safeguarding data. This approach enables early detection and proactive risk management, reducing the frequency and severity of incidents that require the CISO’s direct intervention. As a result of deploying data-centric security tools in tandem with cross-department collaboration, CISOs can concentrate on strategic priorities instead of constant oversight.

3. Determine budget allocation for cybersecurity

Third, when cybersecurity budgets are in question and teams are faced with doing more with less manpower, financial decision-makers need to communicate with CISOs to understand the ROI of a proactive cybersecurity posture that can protect the company when — not if — a breach occurs. Establishing a budget allocation for cybersecurity ensures security teams have enough financial resources to invest in and maintain the most effective security tools and measures. To maximize resources during a shortage, CISOs must advocate for prioritizing investing in data-centric security solutions; this is critical in today’s multi-cloud world as they provide a more granular and effective way to protect data as traditional boundary controls become less relevant. 

By implementing tools that focus on securing the data itself, CISOs can confidently execute consistent, scalable and regulatory-compliant protection across diverse and distributed environments. These tools also help identify and monitor sensitive data across the cloud and on-premises, aligning with regulatory compliance and ensuring proper policy enforcement. Moreover, company decision-makers must pair tool adoption with broader organizational strategies to alleviate the pressure associated with increased scrutiny and complex disclosure requirements. In addition, technology like AI can automate repetitive manual tasks such as data scanning and classification, streamlining workloads. 

4. Awareness and education are key

Lastly, instilling a cybersecurity mindset across the organization through awareness training can reduce CISOs’ concerns about internal risks such as human error-related breaches. Establishing clear internal incident response practices ensures that all staff members know how to react quickly and efficiently in case of a security incident, minimizing impact and potential damage. This proactive approach not only minimizes pressure for CISOs by preventing avoidable security lapses but also establishes the organization’s holistic security posture and a culture of cybersecurity.

We must continue to call on policymakers to create legislation and frameworks that can help address, and more importantly, support the challenges CISOs face without adding complexity to their role. In the meantime, organizations can use these four steps to help CISOs fall back in love with being security leaders.