CISO Hot Topics - What's Your Take?

As more security topics find their way to the boardroom table, it's up to Global CISOs to push past the hype and foster constructive conversations about the value, opportunity and impacts these trends could have on their organizations. What are the hot topics in cybersecurity across global industries? 

Recently, the Global CISO Community gathered for a town hall to discuss the business impacts of emerging trends and to share key strategies for communicating about these trends to non-technical stakeholders in global environments.

Senior Vice President and CISO Meredith Harper of Synchrony Financial was the Governing Body Host, and several global security executives helped lead the discussion groups, including Sara Andrews, Global CISO at Experian; Ken Athanasiou, CISO at VF Corp; Derek Benz, CISO at The Coca-Cola Company; Allan Cockriel, VP and CIO for Global Functions and Information Risk Management, Group CISO at Shell; Dave Estlick, CISO at Chipotle Mexican Grill; Andrew Kirkland, Global CISO, SVP Information Security at PepsiCo; Jacob Lorz, Vice President and CISO at Cintas; Jesse Magenheimer, Vice President and CISO at State Farm; and Lucia Milica Stacy, CISO at Stanley Black & Decker.
 

Highlights from the Discussion

1. The SEC’s New Cyber Rules

The global CISOs kicked off their discussion groups on the topic of the SEC’s new rules for publicly listed companies in the US, which require companies to report on cyber incidents that are determined to be material. CISOs in the discussion noted that the biggest question is how to define the “materiality” of an incident. Several security leaders said they are working with their Legal teams to understand that definition and how it impacts their operations. 

In addition to the financial impact on a company, one CISO asked the group if reputational risk, or damage to the brand, is also considered material. Another shared that their organization’s approach is to consider the business impact for each potential incident, both quantitative and qualitative. 

Several executives also mentioned that they are updating their incident response plans to call out the disclosure information and to ensure that a “RACI” process is in place for the disclosure. One added that “RACI is very important to get right” so that everyone understands when to bring information forward. One participant noted that their team conducted a tabletop exercise with their disclosure committee to practice their response. 

An additional question arose around what specifically has to be included in the notifications about a security incident. One CISO noted that there are confidentiality concerns about incidents and “what we might be putting out there for the bad guys.” Others agreed that everyone wants to be careful not to share too much information right out of the gate.
 

1. Controls or Policies on AI Tools

CISOs then switched to the topic of AI and securing the use of generative AI tools, in particular. For some security leaders, this is still a work in progress, with one saying, “We are doing our best to get policies in place and let people know what they can and cannot use.” Another shared that it’s “early days” for them, and they have no separate policies for AI tools. One of their main concerns is what information is potentially being shared on generative AI sites.

They debated whether or not you could really block access to generative AI sites for internal users. Some have a software tool in place, but note that “you can’t block everything.” Another CISO said “sometimes” they can block the tools, and are experimenting with a warning system if users enter certain keywords into external tools. One said that they are raising a private instance of a generative AI tool, available only for internal use. 

Overall on the topic of AI, many agreed that their main focus is finding the business use cases and the ROI. As one shared, “There is general agreement on the enormous amount of opportunity, and we can’t shy away from it.”
 

1. Primary Objectives for 2024

With all of these topics on the horizon and the general cybersecurity landscape, where are global CISOs focusing their attention in the year ahead? Some said third party risk management is “right at the top.” Others are focused on prioritization, maximizing their investments and overall risk reduction. One CISO wants to improve how they present risk messages to the board, and several agreed.

One CISO said that security boils down to “end users and data” and how to effectively secure those two things. Some other focus areas included zero trust initiatives, cloud security, and protecting against sophisticated social engineering attacks.
 

To continue the discussion on SEC rules, generative AI, and more cybersecurity topics, join the Global CISOs at their Executive Summit, September 16-18, 2024, in San Diego. Or, check out our calendar for opportunities to connect with security leaders in your region. You may also apply to join a CISO community near you to continuously stay up-to-date with your CISO peers.
 

by CISOs, for CISOs
 

Join the conversation with peers in your local CISO community.