A New Era for CISOs: Navigating Regulations and Unprecedented Threats

By fostering strong relationships and adapting frameworks to industry-specific regulations, CISOs can navigate the changing landscape and better prepare their companies for cyber threats in 2024 and beyond.

5 Min Read
hiker climbing to top of a mountain
medrooky via Alamy Stock

Within just two months, we’ve already seen a slew of new data breaches and cyber incidents paving the way for 2024. In response to rapid changes in cybersecurity, the SEC adopted regulations in July, outlining a specific set of cybersecurity disclosure rules for today's enterprises. As part of the ruling, which went into effect in December, companies must “disclose both material cybersecurity incidents they experience and, on an annual basis, material information regarding their cybersecurity risk management, strategy, and governance.” 

Today’s chief information security officers, or CISOs, have had to adapt to this new era of unprecedented cyberattacks -- often wearing several hats at once as they navigate larger attack landscapes while responding to the much-needed accountability measures companies are employing, spurred by the SEC regulations. With these nuances as the backdrop for an evolving CISO role, one thing is clear: The responsibility of cybersecurity can no longer rest on one person. Rather, CISOs must begin to leverage important relationships, while leading strong cybersecurity initiatives, to address today's security challenges.  

The Modern Day CISO 

The role of CISO is relatively new. Unlike chief financial officers or chief executive officers, the chief information security officer’s role didn’t officially exist until the mid-1990s. One of the burdens for CISOs in 2024 is how much the role has changed in the last two decades. In fact, according to Splunk’s 2023 CISO report, 90% of CISOs surveyed believed the role had become a “completely different job” from when they started.  

Related:Expect the Unexpected: 3 Lessons for Building a Culture of Security

The CISO role is now much more outward facing. In the early days, before global digital transformation, many CISO roles were limited to policymaking, governance, and monitoring traffic. However, in the age of almost total dependence on technology, the role has become more prominent.  

CISOs Are No longer in Silos  

The 8-K filings are a good indicator of why today’s CISOs need to partner with their C-suite counterparts closely. Because digital dependencies run throughout an entire organization, cybersecurity stakeholders should extend outside the CISO and their cybersecurity teams.  

This begins at the executive level. It’s a good idea for CISOs to develop close working relationships with the CEO (chief executive officer), CFO (chief financial officer), and CLO (chief legal officer. If each of these relationships is strong, then everyone can ensure that technology investments- - including the latest in cloud and AI technology -- are assets to business and financial outcomes without causing legal trouble.  

Related:10 Ways to Boost Cybersecurity Talent Retention

These relationships are especially important when it’s time for budget discussions. One of the main questions in CISO circles today is, “As a company grows, will it increase its cyber security resources?” According to the 2023 CISO report, 87% of CISOs say they’ve demonstrated a business case for increased budget year-over-year, yet only 35% say that their boards allocate adequate cybersecurity budgets. 

For some C-suite personnel and board members, cybersecurity is becoming a growing investor risk. CEOs are concerned with the amount of business risk that they’re taking on and CFOs are concerned with the cost attributed. To maintain a close relationship with C-suite stakeholders, it is important to hold regular 1:1 meetings with the CEO, CFO, or CLO.  This will give them ongoing insight into cybersecurity needs and the reasons why cybersecurity should be a budget prerogative. With an industry that’s constantly changing and responding to the latest attacks, this is paramount.  

CISOs as Leaders and Communicators  

Although the CISO should look for partnerships in cybersecurity, ultimately the onus still rests on their shoulders to lead a solid cybersecurity culture. To do this, CISOs must be strong leaders and great communicators of their company’s cybersecurity story. For example, as technologies like generative AI (GenAI) evolve, CEOs everywhere will have questions about how this new technology can help or hurt them. It’s on the CISO to effectively communicate the methods through which their company can safely leverage AI technology without completely hindering GenAI’s benefits to business outcomes. 

Related:7 Security Trends to Watch Heading into 2024

Another way for CISOs to show leadership is through the establishment of cybersecurity benchmarks. This will give the entire IT or cybersecurity team a standard by which to measure themselves. For example, many companies use the National Institute of Standards and Technology (NIST) framework, which focuses on five core principles: identify, protect, detect, respond, and recover.  

While each of these principles provides a foundation upon which to build cybersecurity practices, it’s important to note that the realization of this framework can look different for everyone. In other words, there may also be industry-specific regulations for certain companies that dictate how each company can leverage this framework. Let’s take the airline industry for example.  

In March 2023, the Transportation Security Administration (TSA) announced updates to cybersecurity requirements for airport and aircraft operators. For the past year, airline and airport cybersecurity personnel have been working to follow four federally-issued guidelines which encourage the following: access control measures, enhanced segmentation policies, continued monitoring and detection policies, and regular security patches/updates for operating systems. For CISOs in the airline space, these guidelines will shape their method of “identifying” and “protecting” as outlined in the NIST framework.  

You Don’t Have to Go It Alone 

As much as the latest cybersecurity technology can help secure an enterprise’s digital framework, it will be the CISO’s ability to build relationships and establish sound frameworks that will help any company adjust to today’s cybersecurity landscape. The financial, legal, and business implications of a cybersecurity incident no longer allow a CISO to work in the background. It’s time for cybersecurity leaders to look at their CFO, CLO, and CEO colleagues as partners in building a secure enterprise. With these relationships in place, CISOs can prepare their companies for any cyber-attack, stick to the latest federal regulations and adjust to however the CISO role continues to evolve in 2024.  

About the Author(s)

Deneen DeFiore

Vice President and Chief Information Security Officer, United Airlines

Deneen DeFiore currently serves as Vice President and Chief Information Security Officer at United Airlines. She is responsible for leading the cybersecurity and digital risk organization to ensure the company is prepared to prevent, detect, and respond to evolving cyber threats. She leads initiatives on commercial aviation cyber safety risk, improving cyber resilience, and represents United working with international partners to reduce cyber safety risk world-wide across the aviation ecosystem. Deneen is on the board of the Aviation Information Sharing Analysis Center and the Chairperson of the Airlines for America (A4A) Cybersecurity Committee. She is an independent director on the board of directors at Blackbaud software. In 2022, she was appointed to serve on the President’s National Infrastructure Advisory Council (NIAC), advising the White House on how to reduce physical and cyber risks and improve the security and resilience of the nation’s critical infrastructure sectors. 

Jason Lee

Vice President & Chief Information Security Officer, Splunk

Jason Lee is Vice President and Chief Information Security Officer at Splunk. A highly respected technology executive with 20 years of experience in information security and operating mission-critical services, Jason led security for large enterprises prior to joining Splunk including Zoom and Salesforce, where he led the delivery of critical end-to-end security operations including company-wide network and system security, incident response, threat intel, data protection, vulnerability management, intrusion detection, identity and access management and the offensive security team. Before that, he spent 15 years at Microsoft and held various senior leadership roles, including Principal Director of Security Engineering for the Windows and Devices division, as well as Senior Director of Developer Services. As Senior Director of Developer Services, he oversaw the design and management of the mission-critical PKI for all products across the company. Lee holds a B.A. from Washington State University. 

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights