How CISOs Can Navigate Cybersecurity Regulations: Forrester Panel

If you’re just trying to take the bare minimum steps to comply with mushrooming cybersecurity regulations, you might be doing it wrong.

That was one of the takeaways from Forrester’s Security & Risk 2023 conference opening day Tuesday, which featured a panel discussion about quickly changing regulatory requirements. The keynote, “Too Fast, Too Furious: Managing the Speed of Cybersecurity Regulatory Change,” featured a discussion with Gene Sun, corporate vice president and CISO at FedEx, and Stephanie Franklin-Thomas, senior vice president and CISO with ABM Industries.

The pace of regulation is following increasing digitalization throughout our lives, Sun said. “Every single thing is being digitized in our enterprises, in our companies, and in your personal lives,” he said. “How many gadgets in your home have been digitized and connected to the internet? Doorbells, garage door openers, everything … This is one driver of regulation.”

The other cybersecurity regulation driver, he said, is national security. And compliance gets trickier if you run a multinational business. Because FedEx operates in more than 200 countries, keeping up with regulations can be a nightmare. “For the past few years in Washington, all of the regulatory intent is driven by national security.”

Related:Can Privacy Professionals Bring Governance to AI Before Regulators?

Using Compliance as Foundation

Franklin-Thomas said regulations are coming at a furious pace because in many ways, the US was behind in creating a regulatory framework. “I really feel like we’re behind the eight ball with all the regulation we need,” she said.

A company should do more than simply comply with regulations, Franklin-Thomas said. “Regulations that come out are really the minimum standard of what you should have,” she said, adding that companies will have an easier time with compliance even as new regulations come out if they try to go beyond minimum regulatory requirements. “If we are doing the right things to begin with, then that’s not really a far jump.”

Alla Valente, senior analyst at Forrester, summed up the regulatory struggle at the opening of the event. “Compliance is what brings order to potential chaos,” she said. “’Fast and Furious’ is a really good way to think about both sides of the regulatory equation. One the one hand, you have organizations that are just reeling from the speed of all these regulations coming at once. And for the compliance folks, they’re just struggling to hang on. But that speed also accurately represents the speed of innovation that’s coming at all of us and our organizations.”

Related:US Lawmakers Mull AI, Data Privacy Regulation

Becoming a Regulation Influencer

Sun said CISOs need to go beyond their own technical background and begin making connections with policy makers.

“I think it’s a new discipline for CISOs, especially those in global corporations to learn how to work with your trade associations, with your chamber of commerce … to help shape the regulatory framework around the world,” he said. “My first advice for CISOs would be to help to influence the policy makers and regulators to make sure they think about not only national security, but also think about international commerce … to hold the vibrancy of their own economies.”

He added, “This fast and furious pace will continue … given robotics, AI, autonomous driving vehicles and all of those technologies are increasingly more important to our society for national security and everything else. So, regulation is coming if we like it or not … we better be able to influence it, make sure it's sensible, make sure it’s implementable in our organizations.”