Written by Eric De Smedt

Navigating the compliance maze as a CISO

According to Gartner’s 10 IT predictions, the fourth prediction highlights that the role of the Chief Information Security Officer (CISO) will expand significantly. By 2027, 45% of CISOs will find their responsibilities extending beyond information and cybersecurity matters due to an ever-increasing regulatory and threat landscape.

The Impact of Regulatory Changes in Europe

When examining the current situation in Europe alone, it’s clear that numerous laws and directives, either directly or indirectly influencing security, are already in place or in development. Key examples include:

The recently passed Artificial Intelligence Act
The EU Cybersecurity Act (CSA)
The General Data Protection Regulation (GDPR)
The Data Governance Act (DSA)
The Payment Services Directive 2 (PSD2)
The Digital Operational Resilience Act (DORA)
The Digital Services Act (DSA)
The Digital Markets Act (DMA)
The Radio Equipment Directive (RED)
The Cyber Resilience Act (CRA)
The Network and Information Security Directive 2 (NIS2)

This list is not exhaustive, but it illustrates the scale of the regulatory challenge.

A Double-Edged Sword: Opportunities and Challenges

On the one hand, this expanded regulatory environment can be beneficial. It will likely help the CISO gain more attention, and consequently more resources, highlighting the increasing importance of cybersecurity in today’s digital world. This will drive the topic into boardroom discussions, where it rightfully belongs.

On the other hand, complying with all these laws and regulations presents a considerable challenge. How can organizations ensure they are meeting all the requirements?

Common Denominators in Security Laws and Regulations

A number of common themes or “denominators” emerge when examining the security aspects of these laws and regulations. These concepts frequently appear in one form or another:

Risk-based approaches
Resilience
Supply chain security
Transparency
Audits and certifications

These principles are foundational to managing security effectively across various industries.

Risk-Based Approach

Risk management is the core of nearly all security frameworks or standards, as it allows businesses to thoughtfully evaluate the risks they face from identified cyber threats. This approach links risks to the necessary (technical) countermeasures that should be implemented to mitigate them. Depending on a organization’s risk tolerance, certain risks may be accepted, transferred, or avoided altogether.

Many regulations require risk assessments, whether the focus is on risks to the organization or to its customers or consumers. This makes risk assessment processes an essential part of compliance.

These types of security compliance measurements can assist you as a CISO in providing evidence and instilling confidence of a mature and acceptable security level to your management, as well as partners or customer.

Resilience

Resilience, the ability to ensure business continuity after a cybersecurity attack or crisis, is another recurring theme. It instills trust both within the organization and externally, as it demonstrates preparedness to bounce back from incidents and continue operations within a reasonable timeframe.

Supply Chain Security

Supply chain security has gained increasing attention in frameworks like NIST CSF, the CIS Controls, and ISO27001/2. Most organizations collaborate with partners to deliver products or services, and the security measures embedded within these partner organizations can represent a significant part of the overall threat landscape.

Past breaches have often been executed through partner organizations, as they are typically smaller, with less budget for security, and therefore easier targets.

Transparency

Transparency is about honesty and clear communication when issues arise, whether they involve vulnerabilities or incidents. Organizations are often required to inform both customers and relevant authorities in case of significant security incidents.

Audits and Certifications

Finally, audits and certification schemes are becoming a requirement for certain laws. For instance, under NIS2, essential entities must be certified against standards or frameworks such as ISO27001 or CyberFundamentals (in Belgium). Independent accredited bodies, endorsed by national cybersecurity authorities, will audit organizations and provide certificates.

Such certifications not only demonstrate compliance with laws but also boost trust among customers, potentially leading to more business opportunities.

Frameworks to Navigate the Compliance Landscape

These “common denominators” are embedded within many existing security control frameworks, which is beneficial. Depending on the industry and specific regulations, certain areas may require more focus, but the foundational principles remain the same.

Navigating the cybersecurity compliance maze is about selecting an appropriate framework and implementing controls based on identified risks. From a governance perspective, ensuring that processes are in place for risk management, vulnerability and patch management, incident and business continuity management, and supply chain security will ensure compliance with most requirements.

Conclusion: Leveraging Existing Frameworks

Implementing these requirements is no trivial task. Therefore, it’s critical to leverage existing frameworks—they work. There’s no need to reinvent the wheel.