Most Global CISOs Favor Role Separation Amid Increasing Regulatory Demands

Published:

The Evolving Role of the CISO: A Call for Separation in Responsibilities

In an era where cybersecurity threats are becoming increasingly sophisticated and regulatory scrutiny is intensifying, the role of the Chief Information Security Officer (CISO) is undergoing a significant transformation. A recent report by Trellix and Vanson Bourne reveals that more than 80% of CISOs believe their responsibilities should be divided into two distinct positions. This shift reflects the growing complexity of the cybersecurity landscape, where regulatory compliance and financial risks are consuming a larger portion of their time and focus.

The Case for Splitting the CISO Role

The report, based on a survey of over 500 CISOs across the Americas, Europe, the Middle East, and the Asia-Pacific region, highlights a pressing concern among cybersecurity leaders. Many CISOs advocate for the creation of two separate roles: one that emphasizes technical, hands-on security measures and another that prioritizes regulatory compliance and boardroom engagement. This bifurcation is seen as a necessary response to the evolving demands of the role, which now encompasses a broader range of responsibilities than ever before.

Harold Rivas, CISO at Trellix, articulates the dual nature of the CISO’s responsibilities. He notes that while recent regulatory changes have elevated the importance of cybersecurity within corporate governance, they have also introduced new challenges. “On the one hand, they have continued to elevate the role and squarely placed cybersecurity as a boardroom agenda item,” Rivas explains. “On the other hand, regulations and legal actions related to them have increased personal liability, creating a new source of stress for those in the role.”

The Impact of Regulatory Changes

The landscape of cybersecurity is being reshaped by regulatory changes from bodies like the Securities and Exchange Commission (SEC). These changes have imposed stringent incident-reporting requirements and have necessitated regular interactions between CISOs and their boards. The report indicates that nearly half of the surveyed CISOs now meet with their boards on a weekly basis, a significant increase that underscores the growing importance of cybersecurity in corporate strategy.

However, this increased visibility comes with heightened legal risks. The SEC’s ongoing civil fraud case against SolarWinds and its CISO, Timothy Brown, serves as a cautionary tale. The case revolves around allegations that the company failed to adequately disclose cybersecurity risks to investors prior to the 2020 Sunburst attacks. Such incidents have raised alarms among CISOs, with approximately 90% of respondents indicating that the changing regulatory landscape is redefining what it means to be a CISO.

The Unsustainable Burden of Compliance

The report also reveals that four out of five CISOs feel that the time and effort required to keep pace with new regulations is unsustainable. As the regulatory environment continues to evolve, many cybersecurity leaders find themselves stretched thin, balancing technical responsibilities with compliance obligations. This dual burden can lead to burnout and may hinder the effectiveness of cybersecurity programs.

Michelle Horton, principal of cyber, risk, and regulatory at PwC US, offers a counterpoint to the call for splitting the CISO role. She argues that effective risk management and regulatory compliance should be a collaborative effort across various departments, including legal, cybersecurity, risk management, compliance, and internal audit. “This is not necessarily a reason to split the CISO role,” Horton asserts, suggesting that organizations may need to mature their risk management practices rather than fragment leadership roles.

The Future of Cybersecurity Leadership

As the Biden administration outlines plans to harmonize compliance requirements, the conversation around the CISO’s role will likely continue to evolve. Companies are now expected to quickly report significant attacks, disclose cyber resilience strategies, and meet minimum security standards within their respective sectors. This regulatory push could further complicate the CISO’s responsibilities, making the case for a reevaluation of the role even more pressing.

In conclusion, the role of the CISO is at a crossroads. As cybersecurity threats grow more complex and regulatory demands increase, the need for specialized leadership within cybersecurity is becoming more apparent. Whether organizations choose to split the CISO role or enhance collaboration across departments, one thing is clear: the future of cybersecurity leadership will require a nuanced understanding of both technical and regulatory landscapes. The decisions made today will shape the effectiveness of cybersecurity strategies and the protection of corporate assets in the years to come.

Related articles

Recent articles