While 2023 introduced countless new cybersecurity regulations, 2024 is shaping up to be unprecedented in the compliance arena. Between the Biden Administration’s executive order on securing artificial intelligence, the Securities and Exchange Commission’s disclosure mandates, and the Office of Management and Budget’s M-24-04 memorandum, organizations are navigating how to meet stricter requirements while keeping up with the windfall of day-to-day, ongoing processes that regularly challenge already-stretched security and operations teams.
Chief information security officers, in particular, face an uphill battle with compliance mandates. Regulations are an attempt to drive CISOs toward improved processes and greater accountability for the security program. But they also force CISOs to juggle additional policies and rules, even though many are challenged by stagnant budgets, lack of specialized talent, and increased technology complexity. With legal entities increasing pressure and personal liability on CISOs, the fear of non-compliance (or a headline-grabbing breach) should prompt CISOs to be more diligent in aligning their programs with regulations. Though untangling them all can be a burden in and of itself.
Understanding the regulations and how they apply to your company is the first step in applying them to your organization’s security posture.
The Biden Administration and federal compliance
In October, the Biden Administration released an executive order that established new standards for artificial intelligence safety. The EO emphasizes privacy and innovation, and has far-reaching implications for developers of AI as well as organizations using AI technology. For example, with this new directive, “developers of the most powerful AI systems” must now “share their safety test results and other critical information with the U.S. government,” in accordance with the Defense Production Act. Organizations must be cognizant that this executive order has set the stage for protecting workers and civilians from data privacy risks that come from increased and certain types of AI utilization.
Increased efforts to safeguard personal and federal data is ultimately positive for our infrastructure, businesses and personal lives. However, this executive order has far-reaching impacts that CISOs will need to navigate while teams across departments continue to incorporate new or improved AI tools into their technology stacks and workflows.
The SEC steps in for publicly traded companies
The SEC’s recent guidelines on cyberattack disclosure are equally as onerous for CISOs to navigate. Organizations must now report details of any “material cybersecurity incidents” in Form 8-K, and the disclosure will “generally” be due four business days following the company’s determination of a material cyber incident. Further, organizations will also now be required to disclose “material information regarding their cybersecurity risk management, strategy and governance” on an annual basis. This means that CISOs and their teams must have documented and defensible strategies for their security program and be able to clearly describe established processes for “assessing, identifying and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents.”
The SEC’s disclosure protocols bring a new level of scrutiny to an organization’s security program and the CISO, specifically. While regulations that keep organizations’ accountability in check are important, these rules introduce the need for new processes, detailed documentation, and both a description for and understanding of what constitutes a “material breach,” which can be highly subjective depending on the organization, its risk tolerance, and the board of directors’ level of involvement and oversight. With their reputation (and job security) on the line, cautious CISOs will have to ensure the highest level of due diligence so that they don’t take on more personal liability than is necessary.
OMB sets guidelines for the public sector
OMB’s cybersecurity memorandum M-24-04 is similarly cumbersome for federal institutions. While the goal of M-24-04 is to provide federal agencies with fiscal year 2024 reporting guidelines and deadlines for compliance with the Federal Information Security Modernization Act, it emphasizes the need for a clear understanding of all the devices connected to an agency’s network, as well as timely, consistent and accurate reporting. Agencies must provide a report to CISA within 72 hours if a vulnerability is detected, forcing CISOs to have a complete understanding of their tech stack to move swiftly within the reporting period. If that framework isn’t in place, it will be an uphill battle for CISOs to maintain compliance.
Actions for CISOs
CISOs have the primary responsibility to set the policies and processes that keep their organization’s security infrastructure intact and ensure issues are resolved quickly and to the fullest extent possible. While positive overall, an increasing number of stricter regulations pose potential obstacles to CISOs’ efficiencies. Stress levels will be especially high if failure to comply can personally impact the CISO. Luckily, there are immediate steps CISOs can take to alleviate some of the burden from themselves.
First, organizations must understand their network infrastructure and the assets communicating on it. From there, step two is mapping the attack surface and understanding the interconnections between assets, networks, users, etc., so that IT and security teams can visualize how a compromise could impact the organization. This mapping exercise also helps with third-party and supply chain risk management, so it is a crucial step. The third step requires security teams to identify vulnerabilities and misconfigurations in their networks so they can see where they are most at risk and what the potential downstream effects of a security compromise would be.
With the above knowledge, security and IT teams can then prioritize what aspects of their systems should be most protected. This relies on contextual data as well as understanding the business, its needs, its operational and strategic goals, what it can and can’t live without, etc. Once those structures are in place, security teams must constantly monitor and conduct continuous measurements to make sure they are addressing (and seeing) the correct problems.
The cyber regulatory landscape will continue to grow
This is likely just the beginning of expanded regulations that will impact the cybersecurity space. It’s clear that security is being taken seriously within all areas of government, which is a necessary change as emerging technology continues to pervade every aspect of our professional and personal lives.
While organizations navigate the early stages of these regulations, the responsibility is on CISOs, personally, to understand how to adopt and apply policies. Through increased visibility across an organization’s technology stack, CISOs can make better decisions about the direction and execution of their security program, and continually verify that they are doing all they can to remain as compliant as possible.
Katie Teitler-Santullo is a senior cybersecurity strategist at Axonius.
Compliance in 2024: Cutting through the noise
Chief information security officers, in particular, face an uphill battle with compliance mandates.
While 2023 introduced countless new cybersecurity regulations, 2024 is shaping up to be unprecedented in the compliance arena. Between the Biden Administration’s executive order on securing artificial intelligence, the Securities and Exchange Commission’s disclosure mandates, and the Office of Management and Budget’s M-24-04 memorandum, organizations are navigating how to meet stricter requirements while keeping up with the windfall of day-to-day, ongoing processes that regularly challenge already-stretched security and operations teams.
Chief information security officers, in particular, face an uphill battle with compliance mandates. Regulations are an attempt to drive CISOs toward improved processes and greater accountability for the security program. But they also force CISOs to juggle additional policies and rules, even though many are challenged by stagnant budgets, lack of specialized talent, and increased technology complexity. With legal entities increasing pressure and personal liability on CISOs, the fear of non-compliance (or a headline-grabbing breach) should prompt CISOs to be more diligent in aligning their programs with regulations. Though untangling them all can be a burden in and of itself.
Understanding the regulations and how they apply to your company is the first step in applying them to your organization’s security posture.
The Biden Administration and federal compliance
In October, the Biden Administration released an executive order that established new standards for artificial intelligence safety. The EO emphasizes privacy and innovation, and has far-reaching implications for developers of AI as well as organizations using AI technology. For example, with this new directive, “developers of the most powerful AI systems” must now “share their safety test results and other critical information with the U.S. government,” in accordance with the Defense Production Act. Organizations must be cognizant that this executive order has set the stage for protecting workers and civilians from data privacy risks that come from increased and certain types of AI utilization.
Learn how DLA, GSA’s Federal Acquisition Service and the State Department are modernizing their contract and acquisition processes to make procurement an all-around better experience for everyone involved.
Increased efforts to safeguard personal and federal data is ultimately positive for our infrastructure, businesses and personal lives. However, this executive order has far-reaching impacts that CISOs will need to navigate while teams across departments continue to incorporate new or improved AI tools into their technology stacks and workflows.
The SEC steps in for publicly traded companies
The SEC’s recent guidelines on cyberattack disclosure are equally as onerous for CISOs to navigate. Organizations must now report details of any “material cybersecurity incidents” in Form 8-K, and the disclosure will “generally” be due four business days following the company’s determination of a material cyber incident. Further, organizations will also now be required to disclose “material information regarding their cybersecurity risk management, strategy and governance” on an annual basis. This means that CISOs and their teams must have documented and defensible strategies for their security program and be able to clearly describe established processes for “assessing, identifying and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents.”
The SEC’s disclosure protocols bring a new level of scrutiny to an organization’s security program and the CISO, specifically. While regulations that keep organizations’ accountability in check are important, these rules introduce the need for new processes, detailed documentation, and both a description for and understanding of what constitutes a “material breach,” which can be highly subjective depending on the organization, its risk tolerance, and the board of directors’ level of involvement and oversight. With their reputation (and job security) on the line, cautious CISOs will have to ensure the highest level of due diligence so that they don’t take on more personal liability than is necessary.
OMB sets guidelines for the public sector
OMB’s cybersecurity memorandum M-24-04 is similarly cumbersome for federal institutions. While the goal of M-24-04 is to provide federal agencies with fiscal year 2024 reporting guidelines and deadlines for compliance with the Federal Information Security Modernization Act, it emphasizes the need for a clear understanding of all the devices connected to an agency’s network, as well as timely, consistent and accurate reporting. Agencies must provide a report to CISA within 72 hours if a vulnerability is detected, forcing CISOs to have a complete understanding of their tech stack to move swiftly within the reporting period. If that framework isn’t in place, it will be an uphill battle for CISOs to maintain compliance.
Actions for CISOs
CISOs have the primary responsibility to set the policies and processes that keep their organization’s security infrastructure intact and ensure issues are resolved quickly and to the fullest extent possible. While positive overall, an increasing number of stricter regulations pose potential obstacles to CISOs’ efficiencies. Stress levels will be especially high if failure to comply can personally impact the CISO. Luckily, there are immediate steps CISOs can take to alleviate some of the burden from themselves.
First, organizations must understand their network infrastructure and the assets communicating on it. From there, step two is mapping the attack surface and understanding the interconnections between assets, networks, users, etc., so that IT and security teams can visualize how a compromise could impact the organization. This mapping exercise also helps with third-party and supply chain risk management, so it is a crucial step. The third step requires security teams to identify vulnerabilities and misconfigurations in their networks so they can see where they are most at risk and what the potential downstream effects of a security compromise would be.
With the above knowledge, security and IT teams can then prioritize what aspects of their systems should be most protected. This relies on contextual data as well as understanding the business, its needs, its operational and strategic goals, what it can and can’t live without, etc. Once those structures are in place, security teams must constantly monitor and conduct continuous measurements to make sure they are addressing (and seeing) the correct problems.
The cyber regulatory landscape will continue to grow
This is likely just the beginning of expanded regulations that will impact the cybersecurity space. It’s clear that security is being taken seriously within all areas of government, which is a necessary change as emerging technology continues to pervade every aspect of our professional and personal lives.
Read more: Commentary
While organizations navigate the early stages of these regulations, the responsibility is on CISOs, personally, to understand how to adopt and apply policies. Through increased visibility across an organization’s technology stack, CISOs can make better decisions about the direction and execution of their security program, and continually verify that they are doing all they can to remain as compliant as possible.
Katie Teitler-Santullo is a senior cybersecurity strategist at Axonius.
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Related Stories
Test Your Knowledge of Federal Cybersecurity Laws and Regulations
Leveraging lessons from the Okta breach to enhance federal cybersecurity
Leading university offers way to keep up with cybersecurity policy