Top stories this month highlighted the evolving challenges CISOs face. From the complexities of the SEC's disclosure rules to fortifying their organizations with cyber resilience (especially with the rising rate of ransomware threats) CISO are definitely on the front lines of several critical issues. May also saw stories about the potential transformation of the CISO role and some experts predicting a rise in influence too.

1. CISOs and Their Companies Struggle to Comply With SEC Disclosure Rules

Source: Dark Reading

Last December’s Securities and Exchange Commission's ruling on cybersecurity risk management and incident disclosure has caused a change in contract language. These contracts are proposed by public companies to third-party providers and they aim to give the public companies more control over their third-party providers’ responses in the case of a breach. Some public companies want to have the right to take over the incident response process while others want very prompt decisions on whether an incident is material (within hours). The pressure to disclose material incidents within four days is high but “Overall, 68% of cybersecurity teams do not believe that their company could comply….” large companies have a good base because they already have disclosure committees. The CISOs can work with IT, cybersecurity, legal, and business to add cybersecurity disclosure to the committee. Tabletop exercises are recommended as a way to help create the right process for timely disclosure. It's also recommended that if a company is unsure, they should report it within the four days just in case it is material. Documenting the process is a new task for smaller companies. It's also possible in smaller companies, that analysts (who also work on configuring cybersecurity controls) would choose to not report an incident for fear of losing their jobs.

2. Dark Reading Confiential: The CISO and the SEC

Source: Dark Reading

Becky Bracken, Senior Editor of Dark Reading joined by Frederick “Flee” Lee, CISO of Reddit, Beth Waller, a practicing cyber attorney who represents many CISOs, and Ben Lee, Chief Legal Officer of Reddit, Dark Reading’s Editor-in-Chief Kelly Jackson Higgins as well as Dark Reading’s Managing Editor of Commentary and Copy Jim Donahue explore the SEC and CISOs in-depth. Some key points are:

Kelly Jackson Higgins (Host): The SEC's disclosure rules requiring incident reporting within 4 days and CISOs face challenges with these rules and potential liability.
Fredrick "Flee" Lee (CISO, Reddit): CISOs struggle with lack of control over factors that may cause security incidents but they are still facing potential liability for them.
Ben Lee (Chief Legal Officer, Reddit): CISOs need to negotiate for a better internal relationship with the board to effectively communicate security risks.
Beth Burgin Waller (Cybersecurity Attorney): The potential for placing blame on CISOs is similar to blaming a robbery victim for leaving their car unlocked.

3. Cyber resilience: A business imperative CISOs must get right

Source: CSO

Ransomware is at an all-time high so organizations need to go above and beyond compliance to stay cyber resilient. This article stressed the importance of accepting that ransomware can and most likely will eventually happen. “The ability to withstand and recover from a cybersecurity incident requires a shift in thinking that goes beyond compliance.” most IT security leaders express pessimism regarding their confidence in their security program handling risk. Starting to identify vulnerabilities, assess risks, and implement appropriate controls is important for cyber resilience. Third-party vendors pose possible vulnerabilities. the article discusses how contracts and agreements with third-party vendors must be specific to ensure resilience. Overall the software supply chain is vulnerable. AI can up the attacker’s game but it can also help cyberdefense in many ways (although it is not a replacement for a security professional. Regulations have brought attention to cyber resilience and its importance but the article does iterate that they are only the foundation and that compliance does not ensure resilience. Having the right people involved and having a cyber-resilient culture is the last key point. It is important to stress that people play a large role in cyber resilience.

4. One CISO Can’t Fill Your Board’s Cybersecurity Gaps

Source: Sloane Review

Boards face challenges regarding overseeing cybersecurity risks due to many factors including lack of expertise and limited time and resources to dedicate to cybersecurity oversight. Adding a CISO to the board can help, but there is more that can be done--- boards can learn more about cybersecurity. The methods suggested for this include meeting with CISOs often to understand the cybersecurity situation, taking an educational course, and dedicating board session time specifically to cybersecurity regularly.

5. CyberEdBoard Profiles in Leadership: Joe Sullivan

Source: Gov Info Security

Joe Sullivan, cybersecurity expert and former CISO of Uber, predicts an increase in influence for digital risk leaders in companies. He believes cybersecurity will become a more core executive function within the next five years and that the role might evolve beyond the current CISO position. He downplays the fear that CISOs have of criminal charges. He mentions his own case as the only one so far. Encouraging CISOs to be proactive in security. He talks about AI in cybersecurity, urging CISOs to advocate for their security measures, and his sentencing related to a data breach at Uber.