A sea change for CISOs: Five key trends on evolving cyber regulations

This change in direction is being driven by a range of factors, but the most significant can be seen to be an increase in more stringent regulation and legislation. In the United States, this includes the Security and Exchange Commission’s (SEC) cybersecurity disclosure rules, and the New York Department of Financial Services (NYDFS) NYCRR Part 500 regulation.

We sat down with Simon Goldsmith, Enterprise Security and Platforms Lead at OVO Energy, to discuss how CISOs can better bridge the gap between regulation and compliance.

We discussed the range of factors that are driving this change. This included what approaches security leaders can use to navigate these choppy compliance waters.

Let’s dig deeper into the five key trends Simon identified...

Trend 1: External drivers on regulatory influence

The rise of sophisticated cyber threats and attacks has, unsurprisingly, placed cybersecurity at the forefront of federal agencies and regulatory agendas. It’s pushing regulators to adopt more stringent and comprehensive legislation aimed at improving digital and cyber resilience.

As organizations face a growing wave of cyber attacks, governments are compelled to set the bar higher for compliance. If a proactive approach had been in place, this increase could have been prevented.

We have entered a more regulated environment. The onus is on organizations to not only ensure operational resilience, but also on executives to demonstrate effective compliance.

Trend 2: A new era for transparent accountability

Mounting pressure on CEOs and boards to demonstrate compliance is driving a growing emphasis on accountability and visibility.

New regulations, such as DORA, are forcing organizations to be more transparent about their digital resilience, security controls, and risk management. This shift is aimed at ensuring that businesses are not only complying with cybersecurity standards, but also actively demonstrating how they are mitigating risk.

Compliance is no longer a "checkbox" exercise for security leaders. They must take on the approach of it being a continuous effort to monitor and maintain a strong security posture. CISOs need real-time visibility and accountability at every level.

This is why many CISOs are adopting a continuous compliance approach (one like Continuous Controls Monitoring) to deliver the oversight they need. Teams can quickly and easily understand how controls are performing against regulations and frameworks, taking the right action to remain compliant and effectively manage risk.

Trend 3: the evolving role of security leaders

As the regulatory environment becomes more complex and interconnected with broader business goals, the role of security leaders is evolving.

The CISO is transitioning from a tactical, operational role to a more strategic position that requires closer interaction with the board. This shift acknowledges that cybersecurity is no longer just an IT issue, but a business risk that must be managed at the highest levels of an organization. That is why it is crucial to translate cyber jargon and technical information into one of the business.

Security leaders are now responsible for providing insights on risk management, resilience, and compliance. These insights help inform top-level decision-making, ensuring security is integrated into overall business strategies.

Trend 4: Risk management over prescriptive regulations

Another key shift that Simon points out is the movement towards regulations that are more focused on outcomes and risk management rather than being overly prescriptive.

Traditionally, cybersecurity frameworks and standards like NIST CSF, have outlined detailed and specific steps that organizations must follow. However, this approach has limitations, as it may not account for the unique needs or circumstances of each industry or individual organization. What works for financial institutions may not work for telecommunications or infrastructure.

It means the traditional approach to compliance needs rethinking. Organizations must find an efficient way of measuring compliance against frameworks and regulations that can be flexed accordingly.

There must be a focus on how businesses assess and manage risk, rather than following a one-size-fits-all approach. This allows businesses to innovate while still meeting security and compliance standards.

Trend 5: Integration of compliance into business intelligence

Compliance efforts are increasingly becoming integrated into overall Business Intelligence (BI) tooling.

Rather than existing as a separate or siloed function, compliance will be embedded into the business’s day-to-day operations. This allows organizations to use data-driven insights to inform their decision-making processes.

By incorporating compliance into broader BI strategies, businesses can achieve better outcomes and make more informed decisions that align with security and risk management goals.

Simon, sharing his approach at Ovo Energy, explained, “Rather than just turning up at a management meeting once a quarter with a set of slides, we aim to embed security insights into business intelligence dashboards and technology reporting. If we treat security vulnerabilities and misconfigurations as defects, just like product teams track customer-reported issues, we ensure security is prioritized in a way that fits within the existing system of work."

This integration enables organizations to identify issues early, track progress more effectively, and align their compliance efforts with overall business objectives. This can also aide to reporting requirements, such as the SEC’s requirement for disclosure of material incidents within four days. 

The final thought: Adapt or perish

It’s now or never for CISOs. Adapt to the changing waters of compliance and regulations, or perish at sea.

Regulatory changes show no signs of slowing down. The ever-evolving threat landscape is pushing cybersecurity and risk management up the organizational agenda.

Organizations must adapt their security programs by integrating compliance into processes, embracing technology and automation, and ensuring greater accountability in their cybersecurity efforts.

The future of compliance will not be about ticking boxes. It will be about creating a transparent, trusted system that demonstrates compliance to all new and updated security frameworks.

You can watch the full webinar with Simon Goldsmith on our Brighttalk channel, or find more insights on our videos and webinar page.