I recently joined senior cybersecurity executives and chief information security officers (CISOs) in Washington, D.C., for the annual National CISO Policy Conference. The National Technology Security Coalition (NTSC) began hosting the event five years ago to provide the CISO community a chance to discuss relevant national cybersecurity legislative and policy issues. The attendees were from both the public and private sectors.
The NTSC is a coalition of senior technology executives that serves as the voice for CISO advocacy in Washington. The group is prominent in national security deliberations that drive legislative and policy agendas. The annual conference is an important part of the NTSC’s mission.
This year, the impressive lineup of speakers included National Cyber Director Chris Inglis, formerly the National Security Agency deputy director; Retired Rear Admiral Mark Montgomery, the executive director of the Cyberspace Solarium Commission; Susan Gordon, former principal deputy director of National Intelligence; and U.S. Congressman John Katko.
The speakers discussed current issues ranging from the cybersecurity implications of Russia’s war on Ukraine to the latest developments in national cyber defense strategy. The following highlights are some of the most prominent conference themes.
The American Data Privacy and Protection Act
The House Energy and Commerce Committee introduced a bipartisan bill in June, the American Data Privacy and Protection Act (ADPPA). This first-of-its-kind legislation would afford all Americans the same level of privacy protection.
The committee overwhelmingly passed the comprehensive legislation in July—the first time a consumer privacy bill had worked its way out of a Congressional committee. The bill would have wide-reaching implications for all companies, especially those in the technology sector.
Workforce development
Building a holistic strategy for workforce development is an ongoing hot topic, both at the government and the private sector levels. Admiral Montgomery recently co-authored a report titled “CSC 2.0: Workforce Development Agenda for the National Cyber Director,” which provides a comprehensive analysis of the cyber talent challenges within the federal government, along with recommendations for the government, Congress and the private sector.
While the report focuses on the federal government, workforce development grows more urgent every day for the private sector as well. The cybersecurity industry faces an incoming wave of retirees in the next decade—and there aren’t nearly enough college graduates and new professionals to replace them and meet the ever-increasing need for talent.
The SEC’s proposed cyber risk reporting rule
The U.S. Securities and Exchange Commission (SEC) recently issued preliminary guidance on its proposed rule requiring more transparency and corporate resilience against cyberattacks for “cybersecurity risk management, strategy, governance, and cybersecurity incident reporting” for publicly traded companies.
If the SEC finalizes the rule in April 2023 as anticipated, companies would be required to disclose relevant cybersecurity details, including cybersecurity expertise on the board of directors and “material” cyber incidents, such as ransomware attacks and data breaches.
Most CISOs seem to support having a cybersecurity expert on the board, considering how essential it is for boards to understand the connection between cyber risk and business risk. Given the complexity of the interconnected digital ecosystem, cyber risk is a complicated issue. Having cybersecurity experts on a board of directors can help to close the knowledge gap and better align the board’s priorities with those of the CISO.
The changing role of the CISO
I delivered a conference keynote about the changing role of the CISO, sharing insights from the recent “Voice of the CISO” report from Proofpoint and also drawing from the NTSC’s recent “CISO 2.0” report.
Our survey showed that 49% of CISOs feel the expectations of their role are excessive, and 51% believe their reporting line hampers their effectiveness. The survey also found that only 51% of CISOs feel they see eye-to-eye with their board on cybersecurity issues. The NTSC’s report echoed the Proofpoint report, noting the growing need for CISOs “to engage the board” and “tell the story from a risk-based perspective in a way that can easily be understood by the board members.”
Our roles as CISOs will continue to evolve as we face issues such as workforce shortages and a changing regulatory landscape, whether that’s the SEC’s new rule, federal privacy legislation, or many other proposed policies affecting our organizations. Remaining vigilant and diligent about the rising threats and the overall developing cyber landscape is critical.
Patrick Gaul, NTSC executive director, recently discussed the conference takeaways with me for the Proofpoint podcast, “Protecting People.” We covered some of the most important topics and touched on what else is coming up on the agenda that is important to CISOs. Listen to our podcast for a deeper dive into some of the above highlights, along with further insights.
Visit our CISO Hub for cybersecurity research, insights, and resources for the global CISO community.