Since when do chief information security officers (CISOs) need to know about regulatory compliance? As it turns out, the answer is “now.”

A recent survey reported in The Wall Street Journal found that employers reported “failure to meet regulatory compliance, resulting in fines or other penalties” is the single most “fireable” offense for IT professionals.

As organizations today battle a widening skills gap for IT and security professionals, it would be smart to minimize these fireable offenses — and that starts with the CISO. When hiring a CISO, employers have typically looked for technical acumen and management capability. Now, they need to add regulatory experience to that mix.

The Importance of the Compliance-Minded CISO

Many mistakenly think that complying with privacy and security laws is an IT issue; if you get your encryption and authentication sorted out, all will be well. But compliance is a much more challenging and complex task, involving policies, procedures and education. Successful CISOs need to recognize this and take steps to better understand their regulatory obligations and what must be done to ensure compliance.

On an encouraging note, I saw this education in action while speaking to a group of technologists at a Cloud Security Alliance meeting recently. The topic — legal liability and cyber insurance in the wake of a data breach — wasn’t exactly titillating, but the place was packed with IT professionals ready to learn.

The defining moment came when I asked for a show of hands of who knew what GDPR stood for (hint: it’s “General Data Protection Regulation”). Ninety percent of hands went up — shockingly high compared to the polls I’ve taken in the past.

This, of course, was a self-selecting group of IT experts, but they were there to expand their horizons and inoculate themselves and their organizations against a top fireable offense. I hope to see more like them in the future.

Read the solution brief: Preparing for GDPR’s Incident Rresponse Challeges

Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations. The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.

Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.

More from CISO

Making smart cybersecurity spending decisions in 2025

4 min read - December is a month of numbers, from holiday countdowns to RSVPs for parties. But for business leaders, the most important numbers this month are the budget numbers for 2025. With cybersecurity a top focus for many businesses in 2025, it is likely to be a top-line item on many budgets heading into the New Year.Gartner expects that cybersecurity spending is expected to increase 15% in 2025, from $183.9 billion to $212 billion. Security services lead the way for the segment…

On holiday: Most important policies for reduced staff

4 min read - On Christmas Eve, 2023, the Ohio State Lottery had to shut down some of its systems because of a cyberattack. Around the same time, the Dark Web had a “Leaksmas” event, where cyber criminals shared stolen information for free as a holiday gift. In fact, the month of December 2023 saw more than 2 billion records breached and 1,351 disclosed security incidents, according to research from IT Governance — an increase of 332% and 187%, respectively, over the month of…

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today