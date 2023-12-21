The year 2023 has been difficult for CISOs.\n\nAside from the experiences of these individuals, CISOs also faced a wave of new regulations in 2023 with even more coming next year. New SEC cybersecurity rules call for mandatory cyber-incident reporting for all US-listed companies. Domestic issuers must disclose material cybersecurity incidents within four days and disclose material cybersecurity incidents in Form 8-K filings. Private foreign issuers must submit Form 6-K filings to disclose material cyber-incidents. Organizations must also have cybersecurity expertise on their boards, a documented risk management program, and specific cybersecurity leadership.\n\nFinancial services firms also face changes to New York State Department of Financial Services 23 NYCRR 500, including new requirements for larger companies, expanded governance requirements for boards, expanded cyber incident notice, new requirements for incident response and business continuity planning, and additional multifactor authentication requirements.\n\nIn Europe, NIS2 takes effect in October 2024. While NIS1 covered critical industries like healthcare, energy, transport, digital infrastructure, or financial market infrastructures, NIS2 expands industries affected to include the food sector (production, processing, and distribution), social networking services platforms, cloud computing services and data centers. NIS2 focuses on four primary areas: risk management, corporate accountability, reporting obligations, and business continuity. At a more granular level, NIS2 impacts policies and procedures for the use of cryptography, vulnerability management programs, employee access to sensitive data, multi-factor authentication, evaluating security technology efficacy, employee training, and securing their supply chain.\n\nCISOs struggling with new legal, regulatory challenges\n\nHow are CISOs coping with this bong hit of legal scrutiny and regulatory oversight? Not well. According to recent research from ESG and the Information Systems Security Association (ISSA), 62% of CISOs surveyed claim that their job is stressful at least half the time. CISOs are particularly stressed by things like an overwhelming workload, working with disinterested business managers, and keeping up with the security requirements of new business initiatives Furthermore, 36% of CISOs say it is very likely or likely that they will leave their current job within the next year, compared with 26% of non-CISOs. Many (46%) have considered leaving cybersecurity altogether, compared with 28% of non-CISOs.\n\nWhy would CISOs move on from cybersecurity? Sixty-five percent say they have considered an exit due to the high stress associated with a cybersecurity job, 43% claim they are frustrated because their organization doesn\u2019t take cybersecurity seriously, and 39% say they are close to retirement age and will leave the cybersecurity profession upon retirement.\n\n2024 a year of change for CISOs\n\nGiven the stress on and increasing scrutiny of the position, I believe 2024 will be the year of the CISO. To be clear, I\u2019m not suggesting some, \u2018hooray for the CISO,\u2019 ceremonial platitude. I\u2019m saying that individual organizations and the business world at large will scrutinize, experiment with, and ultimately modify the CISO role in 2024, more so than at any time in the past.\n\nHere are five predictions for what happens next year:\n\nCISOs will also want more input into what\u2019s reported to the public. Boilerplate legalese won\u2019t be tolerated. Rather, CISOs will want to err on the side of transparency. When challenged on this point, CISOs will head for the exit.\n\nSplitting up the CISO role\n\nRecognizing the difficulty of the position, I proposed a few years ago that the CISO role be bifurcated. I suggested two roles:\n\nThe former should report to the CEO and board; the latter should have a dotted line to the former while reporting directly to the CIO. Given the angst around the position, these dual roles may become a reality in 2024.