Webinar Recap: CISO Accountability in the Era of New Industry Regulations

Written By Yehuda Kirschenbaum

Right before the New Year, we were honored to have Rinki Sethi, VP & CISO of BILL and Onyxia Advisor, join our very own CEO and Founder, Sivan Tehila, to speak about CISO accountability in light of new regulations, like the SEC cybersecurity disclosure rules. 

Rinki and Sivan shared some very valuable insights about the impact of new risk management regulations, how CISOs are currently managing their threat defense efforts, and what security leaders can do in the future to strengthen their programs and board reporting. 

Below are some of the key highlights and to tune into all the important takeaways Rinki and Sivan shared.


The New SEC Regulations 

Regarding the new SEC regulations, Sivan asked Rinki to share her perspective on the impact of the new regulations. “There’s so much more scrutiny around security programs,” Rinki said. She went into more detail to describe how security programs are being measured and evaluated. Rinki thoughtfully concluded this topic saying “...this is really going to be driving a shift in the industry.”

Key Findings from Our CISO Report

Sivan discussed the report we released, Key Metrics to Defend Against Threats: The CISO Perspective, based on a survey of 200 CISOs. The first observation Sivan mentioned was that we found that 60% of CISOs measure the performance of their full security program at least once a month. Rinki shared that constant measurement is still rare but in the past 2 to 5 years she has at least noticed an increase in the frequency that CISOs measure their security program performance. The manual nature of this process was determined to be the main culprit forwhy constant measurement and automated dashboards are still rare. 

Rinki was also not surprised that the average Mean Time to Respond (MTTR) SLA for CISOs was found to be 9 hours. Automation was suggested as a way to improve the MTTR but Rinki acknowledged that there is a need for more resources both to measure MTTR and improve it. 

Sivan described her experience as a CISO and how it inspired her to create Onyxia. Sivan also mentioned how the new regulations bring attention to how “You always need this data when you’re not ready to have it.”

Something that Sivan and Rinki both found concerning and interesting was that seniority had an effect on a CISO’s Average SLA. (CISOs with 7+ years of experience reported an average SLA of 25.7 days to patch or resolve High Severity Vulnerabilities, while CISOs with less than 6 years of experience reported 20.7 days.) Rinki added that newer CISOs may also be working at newer companies. This can change the way that CISOs operate the culture of the company and therefore affect their average SLA. She also went into detail about the importance of a supportive management culture.


What Now?

Sivan and Rinki discussed CPIs (Cybersecurity Performance Indicators) to measure the program’s well-being. They also discussed various methods for benchmarking including comparing current performance against past program performance to understand progress, comparing program performance to the program performance of other industries, particularly more regulated ones, and comparing program performance to companies of different sizes.

Rinki gave a great description of how incidents are processed and weeded out from logs of all incidents which are processed through tooling and automation to sort out the remaining critical incidents. 

To demonstrate the impact of your risk management strategy and efforts at the board and business level, Sivan and Rinki gave some detailed and relevant tips like how metrics can support the story that a CISO is trying to illustrate to the board. Rinki stressed the decrease in workload automation can provide in pulling data and Sivan commented on how Onyxia’s management platform allows for adding edits to reports so that CISOs can comment on the story behind the metrics.

Sivan concluded the informative part of the webinar with a great message—- while new regulations add pressure, they are also an ✨opportunity✨ for CISOs to demonstrate the impact and importance of their cybersecurity measures. 


Click below to watch the webinar on-demand.


Yehuda Kirschenbaum
Previous

Mid-January Product Update: New NIST Dashboard, CPI Labeling and More
Next

Onyxia 2023 Wrapped: A Year Full of Milestones, Achievements and Awards