Why 2024 will be the year of the CISO

The year 2023 has been difficult for CISOs.

• In May, former Uber CISO, Joe Sullivan, was sentenced to serve three years’ probation and pay a $50,000 fine. Sullivan failed to disclose a data breach and paid off hackers to remain silent. Sullivan has appealed the conviction.
• In October, Tim Brown, CISO at SolarWinds, was charged by the US Securities and Exchange Commission (SEC). Brown is accused of fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities. According to the SEC statement, “The complaint alleges, SolarWinds’ public statements about its cybersecurity practices and risks were at odds with its internal assessments, including a 2018 presentation prepared by a company engineer and shared internally, including with Brown, that SolarWinds’ remote access set-up was ‘not very secure’ and that someone exploiting the vulnerability ‘can basically do whatever without us detecting it until it’s too late,’ which could lead to ‘major reputation and financial loss’ for SolarWinds.”
• In December, Steve Katz, purported to be the world’s first CISO, passed away. Katz first assumed the CISO role at Citicorp in 1995 and then went on to work at JP Morgan and Merrill Lynch. According to an article from bankinfosecurity, Katz “spent the bulk of his retirement advocating for cybersecurity standards, information sharing, and effective leadership.”

Aside from the experiences of these individuals, CISOs also faced a wave of new regulations in 2023 with even more coming next year. New SEC cybersecurity rules call for mandatory cyber-incident reporting for all US-listed companies. Domestic issuers must disclose material cybersecurity incidents within four days and disclose material cybersecurity incidents in Form 8-K filings. Private foreign issuers must submit Form 6-K filings to disclose material cyber-incidents. Organizations must also have cybersecurity expertise on their boards, a documented risk management program, and specific cybersecurity leadership.

Financial services firms also face changes to New York State Department of Financial Services 23 NYCRR 500, including new requirements for larger companies, expanded governance requirements for boards, expanded cyber incident notice, new requirements for incident response and business continuity planning, and additional multifactor authentication requirements.

In Europe, NIS2 takes effect in October 2024. While NIS1 covered critical industries like healthcare, energy, transport, digital infrastructure, or financial market infrastructures, NIS2 expands industries affected to include the food sector (production, processing, and distribution), social networking services platforms, cloud computing services and data centers. NIS2 focuses on four primary areas: risk management, corporate accountability, reporting obligations, and business continuity. At a more granular level, NIS2 impacts policies and procedures for the use of cryptography, vulnerability management programs, employee access to sensitive data, multi-factor authentication, evaluating security technology efficacy, employee training, and securing their supply chain.

CISOs struggling with new legal, regulatory challenges

How are CISOs coping with this bong hit of legal scrutiny and regulatory oversight? Not well. According to recent research from ESG and the Information Systems Security Association (ISSA), 62% of CISOs surveyed claim that their job is stressful at least half the time. CISOs are particularly stressed by things like an overwhelming workload, working with disinterested business managers, and keeping up with the security requirements of new business initiatives Furthermore, 36% of CISOs say it is very likely or likely that they will leave their current job within the next year, compared with 26% of non-CISOs. Many (46%) have considered leaving cybersecurity altogether, compared with 28% of non-CISOs.

Why would CISOs move on from cybersecurity? Sixty-five percent say they have considered an exit due to the high stress associated with a cybersecurity job, 43% claim they are frustrated because their organization doesn’t take cybersecurity seriously, and 39% say they are close to retirement age and will leave the cybersecurity profession upon retirement.