NY regulations increase demands on CISOs already under stress and in short supply Credit: Thinkstock The question of responsibility for cyber-attacks has been a gray area for the last few years. Regulators have treated data breaches and hacking attacks as though they were earthquakes or floods beyond human control, but that’s beginning to change. A new set of rules just went into effect in New York that requires financial services companies to have comprehensive cybersecurity strategies.For too long many organizations have been burying their heads in the sand, but we know that these attacks are no acts of God – they are engineered by humans – and, unlike earthquakes, we can take effective action to prevent them. The new regulations outline the need for a cybersecurity plan that includes risk assessments, penetration testing, encryption, multi-factor authentication, and a host of other sensible security steps, including the appointment of a CISO (Chief Information Security Officer).CISOs in short supplyEvery large company, at the very least, should have a dedicated CISO on staff, but for smaller businesses a full time CISO might be beyond their budget. The problem is, even if they are willing to employ a CISO, there’s a massive skills gap and it’s growing. There will be a shortfall of 1.8 million cybersecurity workers by 2022, according to the International Info System Security Certification Consortium which conducted a survey of more than 19,000 cybersecurity workers.The CISOs out there with the kind of experience and skillsets that companies really need are in constant demand. As many as 46% of cybersecurity professionals are solicited to consider other cybersecurity jobs at least once a week, according to an Information Systems Security Association survey. Clearly there aren’t enough CISOs to go around. Making a case for a virtual CISOWhether you’re a small business, or you’re just struggling to fill the position, a virtual CISO could be the ideal fit. You can gain access to the specialty skills you need to draft an effective strategy for cybersecurity, benefit from a depth of experience that would be unattainable through recruitment, and gain a knowledgeable mentor to help your InfoSec staff develop.Virtual CISOs can be put on retainer for a certain number of hours, hired by the project, or you can buy a block of support hours. You can get top talent and have them direct your risk assessments and help formulate your cybersecurity plan at a fraction of the price of a full-time pro with the same level of experience. You can also be confident that vCISOs are up to date with the latest developments in the field and have working knowledge of other large organizations’ security efforts. The investment required to bring a vCISO in for consultation and have them help build a strategy is insignificant next to the true cost of a data breach.The need is great and growingAt first glance, you may think these regulations don’t apply to you, but they don’t just cover banking, insurance, and brokerage firms that operate in New York – they also apply to third-party vendors that are in business with these organizations. Cloud services, point-of-sale solutions, and payroll vendors will also need to have comprehensive cybersecurity programs.The New York regulations stipulate that “Each Covered Entity shall designate a qualified individual responsible for overseeing and implementing the Covered Entity’s cybersecurity program and enforcing its cybersecurity policy (for purposes of this Part, Chief Information Security Officer or CISO).”First statements to acknowledge compliance are due by February 15, 2018. There are exceptions for firms that do less than $5 million worth of business in the state or employ fewer than 10 staff, but everyone else had better get things in order. If a data breach does occur and the victim is found to have been negligent with regard to cybersecurity, then it can expect serious punishment.In an ideal world, CISOs should talk to the board frequently, but they’re only required to report in writing annually for regulatory purposes. A vCISO is going to be the easiest and best way to meet this requirement for an awful lot of organizations.We expect other states will follow suit with their own cybersecurity regulations and, in this climate, the rise of the virtual CISO is assured. Related content opinion Diversity in cybersecurity: Barriers and opportunities for women and minorities Increasing the numbers of women and minorities in cybersecurity isn't just good for the individuals involved, it's good for the practice of security. Here's a look at what's holding them back and what can be done about it. By Michelle Drolet Dec 23, 2021 5 mins Diversity and Inclusion Hiring Security opinion 6 steps for third-party cyber risk management If you have third-party partners, you need a third-party cyber risk management program. Here are six key steps to follow. By Michelle Drolet Sep 30, 2021 4 mins Risk Management Security Practices Security opinion 5 open source intrusion detection systems for SMBs If you don’t have a lot of budget at your disposal, these open-source intrusion detection tools are worth a look. By Michelle Drolet Nov 13, 2020 5 mins Intrusion Detection Software Security feature 6 steps to building a strong breach response plan Cybersecurity resilience depends on having a detailed, thorough, and tested breach response plan in place. Here's how to get started. By Michelle Drolet Oct 07, 2020 5 mins Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe