{"id":2387,"date":"2024-01-19T22:20:00","date_gmt":"2024-01-19T22:20:00","guid":{"rendered":"https:\/\/www.darkreading.com\/cybersecurity-operations\/top-3-priorities-for-cisos-in-2024"},"modified":"2024-01-19T22:20:00","modified_gmt":"2024-01-19T22:20:00","slug":"top-3-priorities-for-cisos-in-2024","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/01\/19\/top-3-priorities-for-cisos-in-2024\/","title":{"rendered":"Top 3 Priorities for CISOs in 2024"},"content":{"rendered":"<div class=\"media_block\"><a href=\"https:\/\/i0.wp.com\/eu-images.contentstack.com\/v3\/assets\/blt6d90778a997de1cd\/blt0b3ebbcc9a58fd6d\/65aaf3d7bb8508040aaa4450\/cisochoices-Panther_Media_GmbH-alamy.jpg?ssl=1\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/top-3-priorities-for-cisos-in-2024.jpg?w=640&#038;ssl=1\" class=\"media_thumbnail\"><\/a><\/div>\n<div><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/top-3-priorities-for-cisos-in-2024.jpg?w=640&#038;ssl=1\" class=\"ff-og-image-inserted\"><\/div>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">As the new year begins, CISOs gather with their security teams and corporate management to scope out top priorities for 2024 and how to address these issues. This year \u2014 with a multitude of new privacy laws, Securities and Exchange Commission regulations, cyber threats, and new technologies promising to solve those threats \u2014 they might be losing sleep trying to optimally stack the proverbial Tetris pieces of the cybersecurity strategy.<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">Of all the challenges vying for the CISO&#8217;s attention, the personal and legal responsibility for data breaches the SEC has placed on CISOs could be the most challenging in the new year, says Nicole Sundin, chief product officer at Axio. &#8220;With CISOs being elevated to the boardroom to discuss these risks, they will need a system of record to protect themselves and demonstrate duty of care,&#8221; she notes.<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">&#8220;Currently, CISOs have these conversations, make difficult choices, and act as they see necessary \u2014 but these may or may not be documented,&#8221; she says. &#8220;By having a single source of truth or a system of record, CISOs can better protect themselves. Otherwise, we will continue to see high-profile incidents where a CISO who doesn&#8217;t have this [record of events and why they were taken] in place takes the fall.&#8221;<\/span><\/p>\n<h2 class=\"ContentText ContentText_variant_h2 ContentText_align_left\" data-testid=\"content-text\">1. Defend Yourself Against Personal Liability<\/h2>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">Sundin likens CISOs to healthcare executives, who keep detailed records of every action they take in order to defend themselves against claims of malfeasance. Considering that many CISOs are not covered under corporate directors and officers (D&amp;O) insurance policies, they would be liable personally under <\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\"><a href=\"https:\/\/www.darkreading.com\/cybersecurity-operations\/cisos-beware-secs-solarwinds-action-shows-theyre-scapegoating-us\" target=\"_blank\" class=\"ContentText-BodyTextChunk ContentText-BodyTextChunk_link\" rel=\"noopener\">new SEC rules<\/a><\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\"> should a breach occurs. That includes personal liability for both a breach with data loss or a privacy breach without data loss.<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">Sundin recommends that CISOs take the following steps as soon as possible:<\/span><\/p>\n<div data-component=\"basic-list\" class=\"BasicList BasicList_nestedLevel_0 BasicList_variant_unordered BasicList_limited\">\n<ul data-testid=\"basic-list-unordered\" class=\"BasicList-UnorderedList\">\n<li>\n<div class=\"BasicList-ListItem BasicList-ListItem_variant_unordered\" readability=\"7.5\"><span data-component=\"icon\" data-name=\"Circle\" class=\"BasicList-ListIcon BasicList-ListIcon_variant_unordered\"><\/span><\/p>\n<div class=\"BasicList-Item\" readability=\"10\">\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">Create a system record. It can be a planner or diary where every action relating to a potential security incident is recorded with a detailed, chronological description of each action taken and the reasons why they were taken.<\/span><\/p>\n<\/div>\n<\/div>\n<\/li>\n<li>\n<div class=\"BasicList-ListItem BasicList-ListItem_variant_unordered\" readability=\"8\"><span data-component=\"icon\" data-name=\"Circle\" class=\"BasicList-ListIcon BasicList-ListIcon_variant_unordered\"><\/span><\/p>\n<div class=\"BasicList-Item\" readability=\"11\">\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">Create a corporate definition for &#8220;materiality,&#8221; with input from the general counsel or the chief risk officer, to establish clear guidelines for what is legally considered materially significant to investors or shareholders and what is not.<\/span><\/p>\n<\/div>\n<\/div>\n<\/li>\n<li>\n<div class=\"BasicList-ListItem BasicList-ListItem_variant_unordered\" readability=\"6.7739463601533\"><span data-component=\"icon\" data-name=\"Circle\" class=\"BasicList-ListIcon BasicList-ListIcon_variant_unordered\"><\/span><\/p>\n<div class=\"BasicList-Item\" readability=\"9.3141762452107\">\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\"><a href=\"https:\/\/www.darkreading.com\/cyber-risk\/how-cisos-can-craft-better-narratives-for-the-board\" target=\"_blank\" class=\"ContentText-BodyTextChunk ContentText-BodyTextChunk_link\" rel=\"noopener\">Learn to speak to the board of directors<\/a><\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\"> and other executives in financial terms. Tell the board exactly which security controls are required, their cost, and the potential loss to the company if a breach occurs due to not having the security controls in place.<\/span><\/p>\n<\/div>\n<\/div>\n<\/li>\n<\/ul>\n<\/div>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">CISOs must also be active participants when <\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\"><a href=\"https:\/\/www.darkreading.com\/cyber-risk\/why-cisos-should-get-involved-with-cyber-insurance-negotiation\" target=\"_blank\" class=\"ContentText-BodyTextChunk ContentText-BodyTextChunk_link\" rel=\"noopener\">negotiating cyber insurance policies<\/a><\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">, Sundin says. Normally CISOs need to sign off on what the general counsel or CFO ultimately negotiates, but without having direct input \u2014 with a written record of their recommendations \u2014 they could become legally liable protecting a non-insurable exclusion.<\/span><\/p>\n<h2 class=\"ContentText ContentText_variant_h2 ContentText_align_left\" data-testid=\"content-text\">2. Monitor Emerging Privacy Threats<\/h2>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">Cyber insurers will focus on privacy breaches in 2024, predicts David Anderson, vice president of cyber liability at Woodruff Sawyer, a national insurance brokerage. Anderson says cyber insurance underwriters are expected to <\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\"><a href=\"https:\/\/woodruffsawyer.com\/cyber-liability\/softening-cyber-insurance-market\/\" target=\"_blank\" class=\"ContentText-BodyTextChunk ContentText-BodyTextChunk_link\" rel=\"noopener\">harden regulations<\/a><\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\"> on how organizations implement security on private data and privileged accounts, including service accounts, which he notes, tend to be overprivileged and often have not had their passwords changed in years.<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">&#8220;If you are not adhering to the privacy laws and statutes that are applicable to your business, to your jurisdiction, to which your reasonable standard applies, we&#8217;re not going to cover the fact that you are sharing data in a way that&#8217;s not aligned with your privacy policy or is not aligned with statute,&#8221; Anderson says.<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">Citing the tightening <\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\"><a href=\"https:\/\/www.bytebacklaw.com\/2023\/11\/u-s-privacy-litigation-update-october-2023\/\" target=\"_blank\" class=\"ContentText-BodyTextChunk ContentText-BodyTextChunk_link\" rel=\"noopener\">privacy laws<\/a><\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\"> in states such as California and Washington, he says cyber insurers are demanding organizations not only have comprehensive privacy policies in place, but be able demonstrate that they follow their policies. If organizations fail to protect data protected by their privacy policy, they could find themselves without the coverage.<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">&#8220;It might be an uninsurable risk,&#8221; he says. &#8220;Those claims are horrifically expensive from a defense and settlement perspective.&#8221;<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">&#8220;The underwriter is going to look for more than just a yes or no checkbox [on a cyber insurance application]. You are going to have to show where these controls are embedded [and] where you&#8217;re forcing your vendors to adhere to the same level of care&#8221; as your organization&#8217;s privacy policies dictate, Anderson warns.<\/span><\/p>\n<h2 class=\"ContentText ContentText_variant_h2 ContentText_align_left\" data-testid=\"content-text\">3. Manage Third-Party Risks<\/h2>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">While privacy threats will be high on board of directors&#8217; priorities for 2024 thanks to the new SEC regulations and cyber insurers&#8217; requirements, so too will other supply-chain threats. Alastair Parr, senior vice president of global products and services at third-party risk management (TPRM) provider Prevalent, says organizations should build their procurement programs by identifying partners from the perspective of: How can this third party offer operational resilience benefits to us?<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">Forward-thinking visionaries look at third-party risk management (TPRM) and data in the aggregate and what data breaches mean based on emerging and expanding regulatory compliance, said Parr. Rather than focusing on the data itself, he suggests taking a holistic approach, calling it a cross-functional supplier risk management framework.<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">&#8220;As soon as the board starts thinking about it as cross functional, a more comprehensive program \u2014 more of a lifecycle \u2014 that changes the questions they should be asking,&#8221; he says. &#8220;They should be getting excited about the procurement involvement. They shouldn&#8217;t be scared of data for data&#8217;s sake.&#8221;<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">The vast majority of companies today are struggling with TPRM, Parr says, because they focus more on the cost of data governance than on regulatory compliance, operational resilience, brand impact, or the reputational risk associated with data breaches.<\/span><\/p>\n<h2 class=\"ContentText ContentText_variant_h2 ContentText_align_left\" data-testid=\"content-text\">Looking Ahead<\/h2>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">In the environment of increased regulation, CISOs are now held personally liable for data breaches, regardless of whether they involve data loss or privacy violations. In response, cyber insurance underwriters are tightening their rules on how organizations should protect private data and privileged accounts. And all of this is happening with increased attention from regulators, insurers, and the C-suite to supply chain threats.<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">To meet these challenges in the coming year, CISOs need to protect their organization and themselves by creating a system to document relevant actions and decisions, establishing and enforcing comprehensive and consistent privacy policies, and assessing their third-party partners in terms of operational resilience.<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">By working across the organization with procurement, legal, and security teams, CISOs can mitigate the potential impact of supply chain threats and insurance costs on their business \u2014 and cover themselves too.<\/span><\/p>\n<p><a href=\"https:\/\/www.darkreading.com\/cybersecurity-operations\/top-3-priorities-for-cisos-in-2024\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>As the new year begins, CISOs gather with their security<\/p>\n","protected":false},"author":12,"featured_media":2388,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[809],"class_list":["post-2387","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-dark-reading"],"featured_image_urls":{"full":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/top-3-priorities-for-cisos-in-2024.jpg?fit=1800%2C1012&ssl=1",1800,1012,false],"thumbnail":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/top-3-priorities-for-cisos-in-2024.jpg?resize=150%2C150&ssl=1",150,150,true],"medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/top-3-priorities-for-cisos-in-2024.jpg?fit=300%2C169&ssl=1",300,169,true],"medium_large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/top-3-priorities-for-cisos-in-2024.jpg?fit=640%2C360&ssl=1",640,360,true],"large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/top-3-priorities-for-cisos-in-2024.jpg?fit=640%2C360&ssl=1",640,360,true],"1536x1536":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/top-3-priorities-for-cisos-in-2024.jpg?fit=1536%2C864&ssl=1",1536,864,true],"2048x2048":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/top-3-priorities-for-cisos-in-2024.jpg?fit=1800%2C1012&ssl=1",1800,1012,true],"chromenews-featured":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/top-3-priorities-for-cisos-in-2024.jpg?fit=1024%2C576&ssl=1",1024,576,true],"chromenews-large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/top-3-priorities-for-cisos-in-2024.jpg?resize=825%2C575&ssl=1",825,575,true],"chromenews-medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/top-3-priorities-for-cisos-in-2024.jpg?resize=590%2C410&ssl=1",590,410,true]},"author_info":{"display_name":"Dark Reading","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/darkreading\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/uncategorized\/\" rel=\"category tag\">Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","jetpack_featured_media_url":"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/top-3-priorities-for-cisos-in-2024.jpg?fit=1800%2C1012&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/2387","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=2387"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/2387\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media\/2388"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=2387"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=2387"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=2387"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}