From security to compliance? The role of the CISO as cyber-regulation grows
30th May 2024 • Paris, France • The Westin Paris - Vendôme
The EU leads the world in smart cybersecurity regulation. But what does it mean for security professionals?
Building real protections in cyberspace
Much of the hype around cybersecurity today focuses on AI and the implications for both attackers and defenders. And, yes, AI lowers the barriers to entry for attackers and saves them money and time in crafting attacks and then ‘processing’ the defenders’ responses.
Mostly though that is a volume problem: there will be more attacks, just as happened with the digital industrialisation of fraud. And yes – AI can create new attack types, such as deepfakes, which are more than just a volume problem.
But the biggest change in cybersecurity is actually the regulatory response that is emerging. In the US this has come via the SEC, which sees cybersecurity as a material issue for stakeholders and so seeks to drive standards via investor protection.
The EU has taken a more comprehensive and sensible approach which is essentially to acknowledge that cyberspace is a real entity in which citizens, businesses and the state operate, just as they do in the physical world, and so it needs the same protections as
that physical world.
This means we need lawmakers, regulators and law enforcement to create the kind of frameworks we take for granted in the physical world.
DORA, NIS2, the Cybersecurity Act, the Cyber Resilience Act and, coming later, the EU AI Act, are world-leading attempts to put cybersecurity onto a modern footing commensurate with the threat it poses to economies, infrastructure and political stability.
This is a huge change for cybersecurity professionals
It means, for sure, that senior management will be forced to budget for compliance with these new regulations. But will that actually improve security? Will it suck resources into tick-box compliance functions? Will it focus more on resilience (what happens after a breach) than on security, because the assumption is that breach is inevitable? And since regulations are necessarily out of date as soon as they are published, will they skew security towards ensuring previous threat types are protected against rather than looking forward at preventing the unexpected?
All of this will require new approaches and new skillsets from CISOs. They need to understand regulations and how to mould their security efforts to them. They need to develop or work with compliance monitoring.
They need to be able to work with the business to explain the costs and benefits of regulatory compliance. And they need to be able to adhere to fixed external standards, where before perhaps they felt able to operate autonomously.
The e-Crime & Security Congress France will look at the growing ecosystem of global regulation to see where CISOs should prioritize, where the biggest challenges lie and how to comply in an affordable and secure manner.
And of course we will also tackle the subjects you have asked us to: ransomware, human-centric security and security culture, AI, third-party security and the all the rest.