How Should CIOs Handle More Cybersecurity Regulations?

Keeping the company safe is the job of the CIO
Keeping the company safe is the job of the CIO
Image Credit:
Bill Smith

I think that we can all agree that we are living in an increasingly dangerous world. As our companies understand the importance of information technology and acquire more and more valuable information, the bad guys keep trying to find ways to break in and steal customer credit card and personal information. As the person with the CIO job, it’s your responsibility to keep your company’s digital assets safe. It turns out that regulators have been watching us and they now think that securing the company is important enough that they are starting to create regulations in this area. Is this a good thing or a bad thing for CIOs?

The Arrival Of Regulations

As an example of the types of regulations that the person in the CIO position has to deal with, in the state of New York their regulators have been alarmed at the number of electronic break-ins they have been reading about in the newspapers. This has lead them to propose new legislation that would make New York among the first states in the U.S. to require banks to formalize their cybersecurity program.

The interesting thing about regulations is that they are not optional – once enacted, a company is required by law to make whatever changes the new regulations require. These proposed new laws would require some of the world’s largest banks to invest millions of dollars in cyber protections.

The way that the CIO would organize his or her department would also be changed. Under the new regulations banks would now be required to hire a chief information-security officer. Additionally, banks would be required to show that they had implemented measures that would detect and deter any attempt at a cyberintrusion or an attempt to steal customer data.

How CIOs Can Live With New Regulations

One of the areas surrounding cyber security that has always been rather murky has to do with just exactly who you have to inform when you are the target of an attack. Firms generally don’t want to publically state that they have been attacked because they don’t want to worry both current and potential customers. However, regulators who are trying to understand the scope of the problem that they are dealing with would like to know. That’s why in New York’s proposed legislation there is a new requirement that Banks would have to let New York’s Department of Financial Services know of any material breach within 72 hours of it happening.

Right now, there is a patchwork of different state regulations that determine when a company has to report a break in. This is why most companies try to say as little as possible when something bad happens. The reason that regulators have become interested in Banks approach to cybersecurity is because it is becoming apparent that hackers could potentially wreak havoc with the U.S. financial infrastructure if they are not prevented from breaking in.

Since the field of cyber security is a fast changing field where new threats and new protections show up almost every day, the regulators understand that they can’t hope to cover every case that might be encountered. This is why the regulations that are being proposed are viewed as containing the required minimum standards. However, companies will be allowed to continue to innovate in this area because they can still assess their own risks.

What All Of This Means For You

Keeping our company’s networks and data safe from the bad guys is a critical part of the CIOs job. There seem to be more and more bad guys every day and so this task is not becoming any easier. The people who make laws understand that keeping our companies safe is a critical task and so they are starting to create regulations that ensure that we do a good job of this task.

In the state of New York, new regulations are being proposed that would impact the CIOs at major banks. These regulations would create the minimum standards that a bank’s CIO would have to implement in order to keep the bank’s data and networks safe. The regulations would also require that the bank create the role of a Chief Information-Security Officer. Finally, banks would have to start to report any intrusions within 72 hours of their happening.

Regulations can be a hassle for CIOs – just one more thing that we need to make sure that we’ve taken care of. However, in the case of the New York banking cybersecurity regulations, these should not be that big of a deal. With a little luck we’ve already put into place the safeguards that these regulations are calling for. The new regulations will just give us a chance to show off to everyone the good cybersecurity work that we’ve already accomplished!

– Dr. Jim Anderson
Blue Elephant Consulting –
Your Source For Real World IT Department Leadership Skills™

Question For You: Do you think that CIOs should report attempted cyber break-ins to regulators even as they are happening?

Click here to get automatic updates when The Accidental Successful CIO Blog is updated.

P.S.: Free subscriptions to The Accidental Successful CIO Newsletter are now available. Learn what you need to know to do the job. Subscribe now: Click Here!

What We’ll Be Talking About Next Time

If I asked you what the most important application that your company uses is, what would your answer be? I believe that for most of us it would be email – this is how everyone in the company communicates with each other. However, there is a revolution in communication that is going on that may change everything. Chat has arrived and it’s going to be the CIO’s job to manage this new service.