3 Unintended Consequences of Compliance on Cybersecurity Talent

The clock starts ticking when a cybersecurity incident happens — whether during normal business hours or at the ungodly hour of 3 am. And when it comes to compliance, the boxes start ticking, too.

New compliance mandates, including the U.S. Securities and Exchange Commission (SEC) and the European Union’s NIS 2 Directive, pressure security professionals to move even faster. The EU’s NIS 2 gives organizations an early warning within 24 hours “after having become aware of the incident,” followed by a full notification of 72 hours that includes an initial assessment of the incident. The SEC allows teams slightly more breathing room by giving them up to four business days. 

But this is still an ambitious target for many organizations. The hurdles they need to clear aren't just technical; legal teams, PR responses, and technologists all need to sync up to fit these short timeframes. These shrinking timelines will have both intended and unintended consequences for security leaders. Intended consequences include faster reporting, improved risk management, and more comprehensive incident response strategies. But these compliance changes will bring unintended consequences, too.

In Splunk’s annual State of Security 2024 report, 87% of security leaders say they will handle compliance very differently one year from now. What will that look like, exactly? Our data suggests a few ways that compliance will impact cybersecurity talent.

On-call culture will include executives

Amidst the flurry of instant messages, emails, and alerts during the incident response process, the analyst who made the discovery asks the dreaded question: Do I need to escalate this? The answer is nearly always yes for more severe incidents like data breaches or ransomware attacks. In our risk-averse security world, many analysts will choose escalation rather than be the reason that precious hours were lost.

Tighter deadlines will encourage executives and stakeholders to get involved earlier in the reporting process, with 81% of security leaders in State of Security 2024 believe the current regulatory environment will compel senior security staff to be on call 24/7/365. 

Historically, on-call positions have been reserved for early-career professionals. However, these new regulations may obligate senior employees with institutional knowledge and the authorization to make quick decisions to be available at a moment’s notice too. Senior security leaders often have the authority, a higher level of permission and access, as well as a stronger relationship with the business that will ease reporting and communication processes necessitated by the new mandates.

Senior leaders, you have the choice. Empower your staff more to decide what incidents need reporting without your intervention, or become the bottleneck and on-call, but keep a tighter control. What will you choose?

Increased personal liability will contribute to the talent shortage

Being a CISO today comes with more personal liability than ever before. When the SEC charged SolarWinds’ former CISO with fraud in October 2023, it was a watershed moment  — the first time in the SEC’s history that it brought charges against a company’s CISO in relation to a cybersecurity incident. A breach is no longer just a technical or even a business risk — it’s a personal one. For many, the decision to become a CISO involves personal sacrifice in the form of long work hours and even the possibility of going to jail for making a mistake on the job.

Of the respondents, 75% agree or strongly agree that the risk of personal legal liability makes cybersecurity less attractive. And 70% say that the stress on the job made them consider leaving cyber altogether — of those, 36% said they considered leaving multiple times.

It’s not exactly a stretch to say that tightening compliance could drive talent out of the industry. Many are already frustrated by box-ticking over 'real' security work. This could also present as stagnation, as security professionals may stay in individual contributor roles for their entire careers, hesitant to take on the burden of personal liability. 

Compliance and security teams will collaborate more

Narrow reporting windows require greatly enhanced cross-functional visibility. While compliance and security teams used to work independently, they now must align on priorities and determine clear roles to protect the business from compliance violations. PR teams often need to be involved, too, for more public breaches that necessitate a customer response. This shift towards collaboration and shared responsibility is a positive step towards a more secure future. 

That involves education and training for both sides, encouraging a common language and recognizing shared goals. According to State of Security 2024 respondents:

• 91% are ramping up security training for legal and compliance teams
• 90% are ramping up legal and compliance training for security teams
• 91% say everyone on their security team makes compliance a part of their jobs

At this point, cross-functional collaboration should be a mainstay of security; 87% of security leaders said they were collaborating more closely with other functions to improve digital resilience. 

The new era of compliance will fundamentally impact the shape of security teams. How organizations prioritize and adapt to its many iterations will be the hallmark of their success. 

Delve into the full report, which provides more insights and recommendations on the impact of compliance in 2024 and beyond – as well as the dual impact of generative AI on both security defenders and adversaries.