How CISOs Can Navigate Cybersecurity Regulations: Forrester Panel

Regulation is a fact of life in cybersecurity and with new rules coming at a faster pace globally, CISOs are facing increasingly complex regulatory challenges.

Shane Snider, Senior Writer, InformationWeek

November 14, 2023

3 Min Read
FedEx CISO Gene Sun talks about the rise in regulation and compliance concerns.Photo by Shane Snider for InformationWeek

At a Glance

  • As technology advances at an unprecedented pace, new regulations are on the rise globally.
  • CISOs and other tech leaders need to reframe how they think about compliance.
  • Networking is crucial for organizations to have some say in regulation.

If you’re just trying to take the bare minimum steps to comply with mushrooming cybersecurity regulations, you might be doing it wrong.

That was one of the takeaways from Forrester’s Security & Risk 2023 conference opening day Tuesday, which featured a panel discussion about quickly changing regulatory requirements. The keynote, “Too Fast, Too Furious: Managing the Speed of Cybersecurity Regulatory Change,” featured a discussion with Gene Sun, corporate vice president and CISO at FedEx, and Stephanie Franklin-Thomas, senior vice president and CISO with ABM Industries.

The pace of regulation is following increasing digitalization throughout our lives, Sun said. “Every single thing is being digitized in our enterprises, in our companies, and in your personal lives,” he said. “How many gadgets in your home have been digitized and connected to the internet? Doorbells, garage door openers, everything … This is one driver of regulation.”

The other cybersecurity regulation driver, he said, is national security. And compliance gets trickier if you run a multinational business. Because FedEx operates in more than 200 countries, keeping up with regulations can be a nightmare. “For the past few years in Washington, all of the regulatory intent is driven by national security.”

Related:Can Privacy Professionals Bring Governance to AI Before Regulators?

Using Compliance as Foundation

Franklin-Thomas said regulations are coming at a furious pace because in many ways, the US was behind in creating a regulatory framework. “I really feel like we’re behind the eight ball with all the regulation we need,” she said.

A company should do more than simply comply with regulations, Franklin-Thomas said. “Regulations that come out are really the minimum standard of what you should have,” she said, adding that companies will have an easier time with compliance even as new regulations come out if they try to go beyond minimum regulatory requirements. “If we are doing the right things to begin with, then that’s not really a far jump.”

Alla Valente, senior analyst at Forrester, summed up the regulatory struggle at the opening of the event. “Compliance is what brings order to potential chaos,” she said. “’Fast and Furious’ is a really good way to think about both sides of the regulatory equation. One the one hand, you have organizations that are just reeling from the speed of all these regulations coming at once. And for the compliance folks, they’re just struggling to hang on. But that speed also accurately represents the speed of innovation that’s coming at all of us and our organizations.”

Related:US Lawmakers Mull AI, Data Privacy Regulation

Becoming a Regulation Influencer

Sun said CISOs need to go beyond their own technical background and begin making connections with policy makers.

“I think it’s a new discipline for CISOs, especially those in global corporations to learn how to work with your trade associations, with your chamber of commerce … to help shape the regulatory framework around the world,” he said. “My first advice for CISOs would be to help to influence the policy makers and regulators to make sure they think about not only national security, but also think about international commerce … to hold the vibrancy of their own economies.”

He added, “This fast and furious pace will continue … given robotics, AI, autonomous driving vehicles and all of those technologies are increasingly more important to our society for national security and everything else. So, regulation is coming if we like it or not … we better be able to influence it, make sure it's sensible, make sure it’s implementable in our organizations.”

Read more about:

Regulation

About the Author

Shane Snider

Senior Writer, InformationWeek

Shane Snider is a veteran journalist with more than 20 years of industry experience. He started his career as a general assignment reporter and has covered government, business, education, technology and much more. He was a reporter for the Triangle Business Journal, Raleigh News and Observer and most recently a tech reporter for CRN. He was also a top wedding photographer for many years, traveling across the country and around the world. He lives in Raleigh with his wife and two children.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights