What CISOs Should Know About Shifting Data Residency Regulations in 2025

In Splunk Predictions 2025, leaders from Splunk and Cisco anticipate that this year will bring tectonic shifts to established cyber policies worldwide. How can CISOs adapt to a new, de-harmonized regulatory landscape and ensure their organization stays compliant and resilient? Perspectives sat down with Splunk CISO Michael Fanning to get the answers.

Perspectives: What will be the most significant challenge organizations will face next year due to fractured regional data regulations?

Fanning: Regulations that vary from country to country can impact an organization’s go-to-market strategy, security roadmap, and even where it prioritizes resources. For example, new regulations may require you to have citizens of that country on the ground managing the data that resides there or the entire infrastructure within that region — from operations to security — which means organizations have to figure out how to scale and make certain trade-offs.

Perspectives: So new regulations may require companies to have “boots on the ground” at all times, which they weren’t anticipating?

Fanning: In the most extreme instances, yes. Or, you’ll need to — at a minimum — be able to meet regulatory requirements for data protection from a technical perspective. But that brings about its own sets of challenges.

Perspectives: How so?

Fanning: Meeting requirements is one thing. Interpreting them correctly is another. Regulatory language is often vague, so technical leaders must work closely with legal and compliance officers to understand and interpret them. However, how one organization interprets regulation can differ from another, like between a vendor and a customer. This actually happens quite often, so it’s essential to always have that open line of communication. 

Perspectives: We discussed some of the challenges of fractured regulations. But what are the potential benefits or opportunities for organizations navigating this landscape? Are there any silver linings?

Fanning: There are opportunities for companies to help align and influence the regulatory landscape. Regulations are generally well-intentioned but not always pragmatic. So, companies have the opportunity here to help drive achievable outcomes that benefit regulators and businesses alike. Things like implementation dates, for example. In the past, regulators learned that they were not necessarily feasible for some companies, so those dates continued to get pushed back. That’s something organizations can help influence in the future so that directives don’t get delayed.

Perspectives: What strategies would you recommend for making an organization’s compliance framework resilient to changing regulations?

Fanning: My advice is to leverage a Common Control Framework (CCF), which allows organizations to meet a broad range of compliance requirements across regions and regulations. So, rather than having a single set of controls just for ISO or PCI, you have one set that combines all control requirements into one common group that’s broadly implemented across an organization — effectively making it agnostic of the compliance or regulatory requirement. If an organization adopts and implements this standard set of controls and criteria, it will meet any current regulatory requirements. It just has to hit that threshold.

And as new compliance and regulatory requirements take shape, organizations simply maintain and iterate their CCF.

Perspectives: How can cross-functional teams help manage compliance across regions with diverging policies?

Fanning: From a cybersecurity perspective, my best advice would be not to try to solve these problems in a silo. Leverage the experts in your organization, such as legal and compliance officers, who are more familiar with interpreting the complexity of these policies. As a cybersecurity organization, understand the right technical path to meet the control requirements.

So, if you think about it, legal and compliance drive the outcomes, while cybersecurity drives the roadmap to meet those requirements. Ultimately, this will enable an organization to be more efficient in implementing controls and meeting requirements across infrastructure and products.

Perspectives: What tools or processes do you recommend for staying current on changing regulations?

Fanning: I think we’ll see more governance, risk, and compliance (GRC)- related products become increasingly popular. And now with AI’s ability to help interpret these policies, there are significant opportunities to explore. GRC products can create a path of least resistance for more easily meeting regulatory requirements.

Perspectives: Are there any proactive measures organizations can take now to prepare for potential shifts in cyber policies?

Fanning: If you’re already implementing cybersecurity best practices across your infrastructure and products — and meeting industry standards — you won’t be caught flat-footed if policies suddenly shift. So, a solid company-wide cybersecurity strategy, agnostic to any particular regulation, is a great proactive measure. If you're already meeting industry cybersecurity standards, you’re probably checking the boxes for what many of these regulatory requirements will ultimately require. If you have good vulnerability and risk management practices and a secure software development lifecycle, you’ll be in a solid position as new regulations come forth.

Perspectives: As the regulatory landscape grows more complex, how do you see the role of CISO evolving?

Fanning: Regarding vendor-customer relationships, I think we’ll start seeing more CISO-to-CISO conversations and discussions of regulatory requirements. It’ll be up to the CISO to build confidence and guarantee that they have the customer's best interest in mind from a cybersecurity standpoint.

Overall, cybersecurity organizations will be more involved in the sales process to give customers confidence that you're meeting these regulatory requirements. So, if you're a vendor, having that expertise embedded in your cybersecurity organization to interface with customers will become increasingly crucial.

To learn what other predictions Splunk and Cisco leaders made for 2025, get your copy of Splunk Predictions 2025.