Since when do chief information security officers (CISOs) need to know about regulatory compliance? As it turns out, the answer is “now.”
A recent survey reported in The Wall Street Journal found that employers reported “failure to meet regulatory compliance, resulting in fines or other penalties” is the single most “fireable” offense for IT professionals.
As organizations today battle a widening skills gap for IT and security professionals, it would be smart to minimize these fireable offenses — and that starts with the CISO. When hiring a CISO, employers have typically looked for technical acumen and management capability. Now, they need to add regulatory experience to that mix.
The Importance of the Compliance-Minded CISO
Many mistakenly think that complying with privacy and security laws is an IT issue; if you get your encryption and authentication sorted out, all will be well. But compliance is a much more challenging and complex task, involving policies, procedures and education. Successful CISOs need to recognize this and take steps to better understand their regulatory obligations and what must be done to ensure compliance.
On an encouraging note, I saw this education in action while speaking to a group of technologists at a Cloud Security Alliance meeting recently. The topic — legal liability and cyber insurance in the wake of a data breach — wasn’t exactly titillating, but the place was packed with IT professionals ready to learn.
The defining moment came when I asked for a show of hands of who knew what GDPR stood for (hint: it’s “General Data Protection Regulation”). Ninety percent of hands went up — shockingly high compared to the polls I’ve taken in the past.
This, of course, was a self-selecting group of IT experts, but they were there to expand their horizons and inoculate themselves and their organizations against a top fireable offense. I hope to see more like them in the future.
Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations. The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.
Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.