Between ensuring our organizations are protected from sophisticated cyber threats, negotiating budgets with leadership and articulating the value of security investments with our respective boards, as CISOs, we already have a lot on our plate. U.S.-based CISOs, however, now have one more thing to consider.
In July of 2023, the Securities and Exchange Commission (SEC) in the United States announced new rules requiring registered organizations to disclose all “material cybersecurity incidents” within four business days of discovery. The new SEC regulations, which went into effect December 2023, require the disclosures to include details such as nature, scope and timing of incident, as well as all material information on their cybersecurity risk, strategy and governance, specifically “management’s role and expertise in assessing and managing material risks from cybersecurity threats.”
What does this mean for CISOs, our teams and respective organizations in 2024? For one, it means that cyber risk is now inextricably linked to an organization’s brand, value and market perception. And boards are watching. Consequently, CISOs will have more at stake as the regulatory environment becomes more stringent, more complex and harder to navigate.
“You’ll see organizations introduce more cyber skills on their boards and give their CISOs larger roles as business leaders,” says Splunk President and CEO Gary Steele. “Even though cyber obviously has been a topic in the boardroom for a long time, it'll be much more prevalent.”
As security takes center stage with the C-suite and the board, companies are finally acknowledging that cyber risk is business risk. Whether we are justifying the ROI of security initiatives, bracing for stealthier and more insidious ransomware, or helping our teams build new cyber defenses with generative AI, in 2024, security will be a priority from the top down.
It’s a development that will come with advantages for CISOs — the board’s more aggressive focus on cybersecurity will increasingly position CISOs as business leaders with more negotiating power at the table. Until a few years ago, CISOs filled more of a tactical role. These days, however, CISOs aren’t just advising the C-suite, we are the C-suite. And in 2024, CISOs will increasingly be heralded as cyber champions, sit shoulder to shoulder with members of the board, and be even more instrumental in our organizations’ cybersecurity strategies.
“Security risk is business risk, and boards are realizing it,” says Mick Baccio, global security advisor at Splunk’s SURGe. CISOs will benefit from their elevated status and hold more sway with their respective CEOs and boards, which will likely mean additional resources, funding and support for their goals and teams. These changes in priorities haven’t gone unnoticed — respondents to Splunk’s 2023 State of Security report tell us that 79% of line-of-business stakeholders see the security team as either a trusted source of information or a key enabler of the organization’s mission.
The SEC legislation also links cybersecurity to the value of critical information systems, in turn driving a need to enhance the board’s technical understanding. As both cybersecurity experts and leaders, CISOs will be instrumental in translating the meaning of critical security events and value of investments in a way that the board can understand.
“Unfortunately, investors were left in the dark on many cyberattacks. Now with the new SEC regulation, publicly traded companies must inform investors of an event that could have a material impact,” says Paul Kurtz, Splunk chief cybersecurity advisor and field CTO. “Every board of directors will need to have someone that can understand the potential material impact of a cyber event.”
CISOs shouldn’t necessarily bear the responsibility of judging material impact, but they must be part of the discussion, Kurtz adds. As critical liaisons to the board, CISOs will face intensified scrutiny on security investments, manage more financial and organizational risk, and become increasingly liable for cyber risk — which includes breaches, attacks and security failures. This also means they are duty-bound to disclose incidents shortly after discovery to avoid risk of legal and/or financial penalties.
I believe it’s going to force more in-depth conversations around best practices. How do you translate security strategy and posture so that an investor can understand — good, bad or whatever — your security profile? CISOs need to learn how to speak in that business language.
The good news is that even if other parts of the organization are slashing budgets, most cybersecurity spending is climbing in the year ahead. “We don’t see budgets being cut for security,” says Kirsty Paine, Splunk field CTO and strategic advisor for EMEA. “It’s a pretty ringed fence. CISOs just have to justify what they’re doing.”
To learn more about what Splunk sees for the future of the cybersecurity landscape in 2024, download the 2024 Splunk Security Predictions report.