Top Takeaways From Table Talks With Fortune 100 CISOs

As organizations struggle to keep up with new regulations and hiring challenges, chief information security officers share common challenges and experiences.

Larry Whiteside Jr., Chief Information Security Officer, RegScale

July 11, 2023

4 Min Read
a cybersecurity concept image with a man in a suit pointing and the word "CISO" written above it.
Source: Panther Media GmbH via Alamy Stock Photo

Recently, I toured the East Coast and met with Fortune 100 chief information security officers (CISOs) in different industries to have frank discussions about cybersecurity and the changing regulatory compliance landscape. These leaders discussed the impacts of significant breaches and the most serious challenges facing them today. As many organizations struggle to keep up with new regulations and simultaneously face hiring challenges, I discovered some shared challenges and experiences from CISOs, regardless of their organization's size or location. 

Federal Regulations and Agencies 

CISOs generally have a complex relationship with regulatory agencies. Increasingly, governments are sharing recommendations and creating regulations to build robust cybersecurity strategies. It's important to establish relationships with federal agencies before experiencing a breach. Relationships with individuals in key agencies for your industry help you understand clearly which agencies to contact in the event of a security incident. Some of the CISOs I spoke to had experienced significant breaches, and those with existing relationships with relevant agencies navigated the response process easily and addressed the incident efficiently and swiftly.

As the regulatory compliance landscape changes, the CISOs agree on the importance of staying current with regulatory requirements. Some regulations require organizations to file disclosures about their cybersecurity practices periodically. The General Data Protection Regulation (GDPR), the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), and the National Credit Union Administration (NCUA) require organizations to disclose information about a material cybersecurity incident within 72 hours, while the Securities and Exchange Commission (SEC) allows 96 hours. The timeline means that robust incident response plans must be in place to make a determination quickly. 

Similarly, CISOs anticipate the Cybersecurity Maturity Model Certification (CMMC) will seriously impact prime contractors for Department of Defense contracts because prime contractors are responsible for ensuring that their subcontractors meet the appropriate CMMC level for their work. Many smaller subcontractors need to be more prepared to answer the myriad questions and controls required. 

CISOs in public and private industries accept the inevitability of these changes. They are trying to find the balance between putting the right protections in place to meet regulations and being ready to report quickly if a significant incident occurs. Hiring and retaining cybersecurity talent is integral to achieving this balance.

Hiring Challenges and Opportunities 

As cybersecurity challenges continue evolving, staff shortages are growing in the workforce. (ISC)2 research showed a workforce gap of 3.4 million cyber professionals worldwide in 2022, even as many organizations face increasing risks, work to comply with new regulatory requirements, and adopt new technologies. Hiring challenges are twofold: finding the right talent is hard, and many organizations seek to increase team diversity. 

Despite tech industry layoffs, CISOs still have trouble finding people to fill their open roles. In Florida, however, I discovered that many people moved to the area during the pandemic, making available roles easier to fill there. 

To handle the impossibility of getting all the talent they need, the CISOs I spoke to are looking to use more automation. Security teams are inundated with vast amounts of data as the technology landscape changes and new tools emerge. Security leaders are looking for automation to sort through that data and highlight what their teams need to focus on. Everyone wants more artificial intelligence (AI) and machine learning (ML) to make it easier for them to appropriately protect the data, infrastructure, and organizations they are responsible for. 

CISOs Role and D&O Insurance 

Massive breaches, such as those that exposed the data of over 50 million customers at Uber, are advancing the conversation about the CISO's role and whether CISOs need directors and officers (D&O) insurance. Uber CISO Joseph Sullivan was ordered to pay a $50,00 fine and complete 200 hours of community service and three years of probation for his role in the 2016 breach. While some in the industry see it as a broader security failure and a cautionary tale for CISOs as it relates to their role among the corporate executive team, others believe Sullivan misrepresented the situation and bore greater responsibility. 

These incidents show that the CISO role and reporting relationship with the executive team and the board may need review. Today, CISOs bear significant responsibility for their organizations' reputation and success, and many believe it is time to require D&O insurance as part of their cybersecurity leadership role, just as the rest of the executive team does. 

What's Next? 

As CISOs look ahead, they are heavily concerned with increasing regulations and the need to comply with them. Security leaders need to choose which controls are most important and align them to a compliance framework. This can help them get the budget needed to create an effective cybersecurity program that blends automation, AI, ML, and cybersecurity talent to meet the challenges ahead — preferably without needing that D&O insurance coverage.

About the Author(s)

Larry Whiteside Jr.

Chief Information Security Officer, RegScale

A former USAFO with 25+ years of experience building cybersecurity programs, Larry Whiteside Jr. is a veteran CISO, CSO, and CTO in cybersecurity and holds extensive experience in C-Level security roles across industries; including, DoD, Federal Government, Financial Services, Healthcare, and Critical Infrastructure. 

As the CISO at RegScale, Larry leads the RegOps community of GRC practitioners. He routinely advises corporate security companies across the Fortune 2000, helping them achieve their goals in sales, marketing, and customer retention. 

A thought leader in the industry, Larry is a sought-after speaker at conferences such as the Gartner Security Summit, RSA Conference, and SC World Congress, and has been featured in many articles relating to information security and risk management. Larry is also the Co-Founder, President, and on the Board at Cyversity, a 501(c)3 nonprofit association that is dedicated to increasing the number of minorities and women in cybersecurity careers.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights