The data-first CISO, for a new era of data compliance

Let’s be honest, most of us in this industry have been asking for change for a long time. Many of us have argued for digital privacy as a right, and now it’s starting to come to fruition. We see month over month more legislation being introduced.

This codification of privacy is transforming how businesses are expected to operate. There is no more question of what happens when a business doesn’t invest in a cyber program and who’s responsible. Let’s take a quick look at what will shape this year.

CCPA may be amended. Currently the CCPA has an open request for comment on how audits fit with CCPA. In addition, we will start seeing rulings in cases around CCPA showing what we can expect for the reality of losses from not complying. For those who want to keep track with us, Perkins Coie has a great tracker.

NYDFS will likely be amended. Industry comments are under review. Once DFS makes its recommendations it will move through the legislation process. Notable takes:

• • “The CISO and the highest-ranking officer of the covered entities are both required to sign a certificate of compliance, and notice of compliance must be delivered annually to the NYDFS.” – Morgan Lewis.
  • This is more than a privacy law, this includes business resiliency, and secure operations

The SEC wants their new rules in place ASAP. This includes provisions for Cyber Security reporting requirements alongside considering rules requiring adoption of standard practices. As with all federal rules, this one may take some time. Other provisions, notably around carbon footprint reporting, seem to be causing friction. We will see if the SEC makes their timeline.

$100 Million penalty for BIPA violations. In 2022, we saw cases relating to the Louisiana BIPA come to a close with significant penalties being doled out. The rubber is meeting the road, and liabilities are a reality. Read more at Data Protection Report.

With this strong legislative push, real world liabilities are here. Executive leaders can no longer ignore the advice of security teams. The reality is most businesses are not ready. A quick snip from Forbes illustrates this perfectly:

“Our analysis showed that only 51% of Fortune 100 companies have a director on their boards with relevant cybersecurity experience. The situation in the Fortune 200 and 500 is more concerning: only 9% have cyber-savvy directors. Worse still are the companies in the Russell 3000 smaller than those in the Fortune 500: only 8% have cyber directors. There is a total shortage of 2,724 directors with cybersecurity expertise across all Russell 3000 companies.” – Forbes

To be successful in filling these positions, security leaders will need to have an opinion on what’s changing from a legal perspective, how that impacts business strategy, and how the business creates opportunity in markets with changing regulations.

Succinctly, CISOs need to be part of every strategic board level conversation. An active CISO can actually be a competitive advantage. These active leaders will understand the business data, how to use it for market advantages, and meet new regulatory challenges. Companies that can stay ahead of the changing regulatory environment will realize greater return. Companies that view compliance as a checkbox will fall behind.

Ensuring adherence to compliance regulations is critical to your business’s operations, but doesn’t have to consume an outsized portion of your resources. Let Clumio help automate compliance and simplify management while reducing your data protection costs. Contact us for a customized consultation.