“What this means is that now the CISO has more hard core business rationale for spending,” Dickson opined. “In the good old days CISOs would say, ‘We have to do this or we might get hacked.’ It was it was an abstract threat and risk that, candidly, most execs had a hard time quantifying.
“Now they don’t have a choice, there’s less discretion, so the sophisticated CISO is going to take these compliance and regulatory frameworks and use them to get as much security coverage as they possibly can,” Dickson continued. “He or she can go to the chief counsel and say, ‘Hey, we’ve got to do this, we don’t have a choice; we’re doing business in New York.’ “
Savvy CISOs should view the specter of rising regulation, combined with the steady drumbeat of high-profile breach disclosures, as a godsend. It’s a chance to articulate why their company must embrace efficacious data security policies and employee training. And it’s a chance to delve into the well-spring of security innovations, readily on display at conferences like RSA and Black Hat, and methodically sift the wheat from the chaff.
Dickson and I had a lively discussion about how corporate behaviors — for large enterprises and for SMBs, as well — are likely to shift in response to these developments. For a drill down, please listen to the accompanying podcast.