Take a Product Tour Request a Demo Cybersecurity Assessment Contact Us

Blogs

The latest cybersecurity trends, best practices, security vulnerabilities, and more

Navigating a Year of the SEC Cyber Disclosure Rules

The Healthcare CISO’s Balancing Act

This December marks one year since the Security and Exchange Commission (SEC) implemented new regulations requiring public companies to disclose significant cyber incidents and integrate comprehensive risk management practices.

While these rules aim to improve transparency and resilience, they’ve also created an intense new layer of responsibility, pushing many CISOs to reassess their strategies, invest in resources, and sometimes reconsider their career paths.

Trellix commissioned independent market research agency Vanson Bourne to conduct a research survey of 508 CISOs across the globe to understand their views on cybersecurity regulation, the CISO role, and their interactions and challenges when reporting to their organization’s board. Read the full report, The CISO Crossroads: Regulation, pressures, and the future of cybersecurity leadership. Here’s a deeper look into how these leaders tackle the challenges and reshape their organizations to meet the SEC’s heightened demands.

High effort, high preparedness

A staggering 83% of CISOs report the new SEC rules required either large or significant effort on their part. The response underscores the extensive work needed to align cybersecurity practices with regulatory expectations. Despite the high effort involved, 89% feel prepared to adhere to these requirements—illustrating the resilience and adaptability of these leaders. However, it hasn’t been an easy transition; only 33% say they’ve managed to adapt effectively, with many describing the journey as challenging.

CISOs report increased headcount, process overhauls, and technology investments

Most organizations found their existing resources and processes are insufficient to meet the new SEC requirements. The regulations forced an array of strategic changes across cybersecurity and risk management, with many companies needing to:

  • Hire more staff: 63% of organizations increased their headcount to handle the added reporting and disclosure requirements.
  • Revamp incident response plans: 52% of CISOs reported reviewing their incident response plans to ensure they could report incidents within the mandated four-day window.
  • Invest in training and technology: Nearly half (48%) of companies committed resources to educate both staff and board members on cybersecurity issues, while 44% upgraded their technology to streamline compliance efforts.
  • Evaluate third-party vendors: 44% of organizations undertook vendor reviews to ensure compliance across their supply chains.

These investments not only highlight the operational adjustments but also reflect a broader push to enhance cybersecurity maturity and accountability within companies.

Career impacts and the CISO role

The intensive demands of these new rules impact not only organizational operations but also CISOs on a personal level. For some, the SEC’s strict requirements have raised questions about the sustainability of their role. Almost one in five CISOs (19%) say the rules have made them consider stepping away from the CISO role entirely, with increasing workloads and a blurred work-life balance heightening these concerns.

Additionally, 42% of CISOs feel these regulations significantly distract them from other priorities, and another 42% report a large effort to balance regulatory compliance with their other responsibilities. Nearly half (49%) of CISOs say they do not see a future as CISOs due to their ever-expanding responsibilities. Without continued adaptation and support, there’s a risk more CISOs may consider other career options, potentially impacting the future of cybersecurity leadership.

SEC regulations as a catalyst for industry change

Despite the demands, many CISOs recognize the broader value of these regulations. Beyond driving internal change, the SEC rules gradually reshape the cybersecurity landscape. Increased transparency through mandatory incident disclosures and a heightened focus on risk management encourage more companies to prioritize cybersecurity proactively rather than reactively.

One year in, it’s clear these SEC regulations are helping to institutionalize cybersecurity as an integral part of corporate governance. A majority (74%) view the regulations positively, seeing them as a way to advocate for more robust cybersecurity resources within their organizations. The mandated transparency provides CISOs with a powerful tool for securing executive buy-in, giving weight to requests for budget increases and technological investments.

The path forward

The first year of the SEC’s new cybersecurity rules has laid a demanding foundation, underscoring the need for a measured approach to regulatory compliance. To ensure the long-term sustainability of these roles, organizations must continue supporting their CISOs, meeting regulatory demands, and maintaining a balanced workload.

In the coming years, as the SEC and other governing bodies refine their regulations, the lessons from this initial year will serve as valuable guidance. For now, CISOs must continue navigating this challenging terrain that has already reshaped the cybersecurity landscape and promises to foster a more resilient future.

Dive into the details and read the complete Mind of the CISO Report: CISO Crossroads: Regulation, pressures, and the future of cybersecurity leadership.

Get the latest

Stay up to date with the latest cybersecurity trends, best practices, security vulnerabilities, and so much more.
Please enter a valid email address.

Zero spam. Unsubscribe at any time.