Q2 2023 Top Cybersecurity Control: Qualified Cybersecurity Leadership

Cybersecurity regulatory, insurance and client contractual requirements are changing rapidly. Gartner reports that 88% of Boards of Directors recognize that cybersecurity risk is business risk. With the average worldwide total cost of a data breach at a staggering $4.35 million USD, the financial and reputational damage from a breach can devastate or destroy a business. So, it’s no surprise that regulators are stepping in to require strategic cybersecurity leadership since many customers, partners, and insurers already include minimum cybersecurity standards and incident reporting requirements in their contracts.

Organizations need skilled cybersecurity leadership, such as a CISO or equivalent, to navigate today’s tricky cybersecurity threats and stay ahead of evolving regulatory requirements. Skilled leadership is also critical for ensuring that cybersecurity investments are effectively prioritized and implemented. Based on the regulatory changes and widespread need, we have selected “Qualified Security Leadership” as our top cybersecurity control for Q2 2023. If you haven’t had a chance to read our full list of Top Cybersecurity Controls for 2023, take a peek—it can help you prioritize your cybersecurity spending. Now, let’s dig into some of the recent trends and changes behind our Q2 priority control.

Regulations Are Increasingly Mandating Organizations Designate a Cybersecurity Pro to Oversee Cybersecurity

An increasing number of regulators now specify that organizations need a designated, experienced cybersecurity leader. Let’s take a quick look at some of these new and upcoming regulatory changes:

• Federal Trade Commission (FTC). The FTC recently updated its “Safeguards Rule,” which is designed to ensure that organizations protect the security of customer data. It applies to non-banking financial institutions, which can include auto dealerships, mortgage brokers, accounting firms, universities, and more. One critical change is that entities must now designate a single “qualified individual” to oversee cybersecurity. In addition, this “qualified individual” must report to the Board of Directors at least annually. Due to a shortage of qualified security personnel, the FTC recently extended the deadline for compliance to June 9, 2023. Importantly, the individual selected can be outsourced or hired on a fractional basis, opening the door for “virtual CISO” services, which have expanded throughout the cybersecurity industry. (If you need assistance, check out LMG’s “virtual CISO” services.)
• The New York Department of Financial Services (NYDFS) recently proposed amendments strengthening cybersecurity leadership requirements for financial services companies. While the state already required entities to hire a “Chief Information Security Officer” (CISO), which needs to be a “qualified individual. The proposed amendment now also states that “[t] he CISO must have adequate authority to ensure cybersecurity risks are appropriately managed, including the ability to direct sufficient resources to implement and maintain a cybersecurity program.”
• Upcoming SEC Cybersecurity Disclosure Regulations. In March of 2022, the SEC proposed new cybersecurity regulations for public companies, and the final rule is scheduled to be released in the next few months. For financial and market related organizations, there are multiple proposed SEC cybersecurity disclosure regulations for investment advisory/organizations and financial “Market Entities” that are currently in the comment period and likely to be adopted in the next year. Some of the highlights of these proposed regulations are that covered entities would have to:
  • Provide public reports on their cybersecurity policies, procedures, and implementation.
  • Evaluate and mitigate the impact of cybersecurity risks on their operations, financial condition, and reputation.
  • Disclose material cybersecurity incidents within a specific timeframe and provide periodic updates.
  • Provide a qualified cybersecurity leader on the Board of Directors to oversee and manage cybersecurity risks and governance.

Top 5 Reasons Organizations Need Qualified Cybersecurity Leadership

Let’s look at a recent example where strategic cybersecurity leadership could have reduced an organization’s risk. After the recent DISH ransomware attack, multiple shareholder class action lawsuits  have been filed alleging that DISH committed securities fraud by overstating its operational efficiency due to deficient cybersecurity and IT infrastructure. Clearly this is not an issue IT could have handled, and this example makes it easy to see why regulators are stepping in and requiring a designated strategic cybersecurity leader to protect the rights of shareholders, customers, partners. and consumers.

Let’s dive into what you need to know about changing regulations, as well as the benefits and options for adding strategic cybersecurity leadership by starting with the top 5 benefits a CISO or Virtual CISO can deliver:

• Reduction of business risk. Most board members typically have a background in finance or as an executive. In today’s digital world, it’s too big of a risk to leave cybersecurity considerations out of your product roadmap, partner/supply chain, organizational budget considerations, and risk planning. Without a CISO or Virtual CISO for advice, your BOD is unlikely to consider the cybersecurity implications of business decisions and major initiatives – what looks like a wise, efficient decision to the CFO can have hidden security risks and costs that a CISO can flag.
• One designated person as a strategic resource to help your organization prioritize cybersecurity technology adoption and spending, as well as create a long term plan for continuous improvement based on an industry standard framework like the NIST CSF. A CISO or Virtual CISO can help you organization develop a strategic plan to prioritize cybersecurity investments and coordinate a long-term plan for continuous cybersecurity improvements that prioritizes addressing your biggest risk reduction activities while staying within your budget. They can also help create a culture of security throughout your organization. Having someone from the C-suite overseeing company policies and driving cybersecurity awareness efforts throughout your organization is crucial. Read 6 Steps for Building A Strong Security Culture in Your Organization for detailed advice on how to accomplish this goal.
• Strategic direction on cybersecurity as a foundational requirement during product development and product purchases, as well as flagging any cybersecurity risks in your organization’s strategic initiatives. Organizations often fail to consider cybersecurity from the beginning, which can slow down growth and project implementation. Incorporating cybersecurity as a foundational element can also improve several KPIs and speed time to market when compared to an organization that tries to bolt it on at the end.
• Guidance on evolving threats and changing cybersecurity technologies. Adding a CISO or Virtual CISO to your leadership team can help your technical teams understand the KPIs that are crucial to your executive team and board, and vice versa. It can also ensure that your business team is security conscious, and your security team is aligned with business priorities.
• Ensure your organization understands and complies with all regulatory requirements, as well as contractual requirements for your customers, partners, and cyber insurer. With rapidly evolving requirements in multiple different areas, you need a designated strategic leader to provide guidance on current regulations, work with legal experts to ensure compliance, ensure regulatory and contractual obligations are met, and to provide the appropriate disclosures.

How to Find and Afford a CISO

Most organizations recognize the need for strategic cybersecurity leadership and planning. However, an experienced CISO commands an average salary of $230k plus benefits, and demand for these experts is high, making them hard to find and hire. Also, with high stress levels and few qualified resources, turnover in the CISO position is very high. In fact, the average tenure for a CISO is 26 months.

For both budget reasons and continuity, virtual CISO services can be a smart approach. This way, you have the designated individual in the CISO role for strategic leadership, to comply with regulatory changes, and respond to customer/insurance requirements. A fractional CISO arrangement can be structured for only the hours your organization requires, so you can make the best use of your budget. At LMG, our virtual CISO services always include a primary and backup CISO, so you never have to worry about your CISO being unavailable.

An experienced CISO or virtual CISO can bridge the gap between technical teams and leadership, and explain cybersecurity matters using language and examples your executives and board will understand. Finally, a CISO or Virtual CISO can help you prepare for the new cybersecurity disclosure rules by reviewing policies, providing oversight, and preparing a checklist of activities required to successfully comply with new regulations and address today’s evolving cybersecurity risks.

If you need Virtual CISO services or help defining security policies and procedures, contact us. Our expert team is ready to help!