Majority of global CISOs want to split roles as regulatory burdens grow
In many ways, the job of the Chief Information Security Officer is divided between two radically different areas of expertise. On one hand, there are the daily technical responsibilities that go into maintaining the security posture of a large enterprise. On the other hand, there are regulatory compliance duties, which have only become more onerous as the US Securities and Exchange Commission have added new responsibilities for incident-reporting and corporate regulation, which causes CISOs to have more responsibilities in the boardroom. To make matters worse, if the companies fail to meet compliance requirements and an incident occurs, it is usually the CISO who is on the line, and not only their job but their reputation and even their liberty might be at stake. The SEC currently has an ongoing civil fraud case against SolarWinds and its CISO Timothy Brown, accusing him of failure to disclose necessary information to investors.
Because of these changes, many CISOs, according to a survey of over 500 CISOs conducted during August and September, are concerned about the future. 9 out of 10 CISOs polled said the changing regulatory landscape is redefining what it means to be a CISO. Four in 5 said the time and effort required to keep pace with the new regulations is not sustainable. On top of their regular security duties, more than half of CISOs polled now meet with their company boards on a weekly basis. The consensus is clear: a majority of CISOs believe that risk management and regulatory compliance at the corporate level should be the responsibility of a separate position, who can commit themselves fully to it.