Regulation and the CISO – A Suggested Approach From the CISO Community
How should the CISO be regulated? What considerations should the government look at when regulating the CISO? Can regulation become an agile process? These and other questions are addressed in our new Team8 CISO Village report: Regulation and the CISO – A Suggested Approach From the CISO Community, written by Chris Inglis, Amit Ashkenazi, and myself, in response to the White House RFI on the subject of cyber security regulation harmonization.
The response is now available for download here.
The National Cybersecurity strategy calls for “fundamental shifts” in the allocation of “roles, responsibilities, and resources in cyberspace” while aiming for a greater share of the burden of mitigating risk by the private sector and increasing incentives for long-term investment in cybersecurity. We, as a community, support the government’s desire to improve the security of the industry and the safety of our customers and citizens. We believe that this strategy will help us all meet these objectives.
The importance of effective CISO engagement is even more crucial to reduce cybersecurity legal exposure in the age of AI. To enable organizations to harness the benefits of this developing new technology, CISOs, and regulators need to cooperate to ensure adequate, effective, and non-excessive risk management and mitigation.
Achieving these ambitious goals requires a change of regulatory mindset, one that recognizes the complex nature of the cybersecurity mission, spanning technical knowledge, economic incentives, and affecting organizational culture.
This new regulatory mindset can benefit from concepts of “agile regulation” to create a new regulatory ecosystem. A key element of this new regulatory ecosystem can be creating frameworks that engage the CISO community without creating excessive legal or regulatory exposure.