Skip to main content
close search
site logo

Majority of global CISOs want to split roles as regulatory burdens grow

Trellix research shows rising cybersecurity demands from the SEC and other government bodies are pushing CISOs even closer to the edge.

Published Oct. 15, 2024
David Jones's headshot
Reporter
SEC seal outside Washington D.C. building
The U.S. Securities and Exchange Commission seal hangs on the facade of its building September 18, 2008 in Washington, DC. Cyber disclosure rules from the agency have led to calls by many to split the role of CISO. Chip Somodevilla via Getty Images

More than 4 in 5 CISOs believe their role needs to be split into two separate positions, as regulatory and financial risks consume a greater part of their job responsibilities, according to a report released Tuesday by Trellix and Vanson Bourne

A majority of CISOs are calling for the job to be separated into a technical, hands-on-keyboard security role and another position that focuses on regulatory compliance and boardroom disclosure. 

Regulatory changes from the Securities and Exchange Commission and other bodies have been a mixed blessing for CISOs, according to Harold Rivas, CISO at Trellix.

“On the one hand, they have continued to elevate the role and squarely placed cybersecurity as a boardroom agenda item,” Rivas said via email. “On the other hand, regulations and legal actions related to them have increased personal liability... creating a new source of stress for those in the role.”

The report is based on a survey of more than 500 CISOs in the Americas, Europe, the Middle East and the Asia-Pacific region, conducted by Vanson Bourne during August and September. 

Officials said CISOs’ responsibilities have radically changed due to incident-reporting requirements from the Securities and Exchange Commission as well as widespread changes in corporate governance, which require CISOs to meet regularly with boards and upper management. 

Among the top concerns is the growing legal peril for CISOs if their companies fail to properly disclose cybersecurity risks. The SEC has an ongoing civil fraud case against SolarWinds and its CISO Timothy Brown for allegedly failing to disclose the company’s cyber risks to investors, during the lead up to the 2020 Sunburst attacks. 

About 9 in 10 respondents said the changing regulatory landscape is redefining what it means to be a CISO. Four in 5 respondents said the time and effort required to keep place with new regulations is not sustainable. 

Nearly half of those surveyed said they now meet with their boards on a weekly basis. 

Michelle Horton, principal of cyber, risk and regulatory at PwC US, pushed back on the need to split the duties of a CISO, noting this may be an example of risk management immaturity at some of these companies. 

“Well-functioning risk management and regulatory change management programs are a collaboration across departments including legal, cybersecurity, risk management, compliance, internal audit, etc.,” Horton said via email. “This is not necessarily a reason to split the CISO role.” 

In June, the Biden administration outlined plans to harmonize a growing list of compliance requirements that require companies to quickly report significant attacks, disclose cyber resilience strategies or meet minimum security standards within their respective industry sectors. 

Editors' picks

Company Announcements

View all | Post a press release
Mystic Valley Elder Services Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
CUSO Financial Services, LP Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
Editors' picks
Latest in Strategy
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell