Why the SEC Ruling could make it more difficult for CISOs.

After a year of speculation, the SEC finally ruled on its new cybersecurity initiative.  Many security leaders are extremely disappointed with the watered-down ruling.  There was hope that the SEC would dictate that each public board must have a named director who would be responsible for overseeing cyber risks.  

While the ruling fell short of requiring a “named” director, instead, it loosely outlined that the board needs to have cyber awareness on the board and to have a plan for addressing cyber risks.

Security Leaders (i.e. CISOs) had been campaigning for the named director to give them an ally in the board room.  Too often the board lacks the knowledge and desire to address cyber risks to the level a CISO feels is adequate to protect the company. 

I’ve always contended that the CISO role is the most difficult executive position because of its breadth of responsibility, and the lack of executive support.  

Often, the lack of boardroom understanding about cyber risks makes it difficult to garner the support and budget to adequately protect the firm.  But yet, CISOs are still seen as the ones to blame if a cyber event happens.  

This causes frustration with both the CISO and the Board which is a core reason the average tenure of a CISO is only 24 months. This is the shortest tenure of any of the CXOs.

So will the new regulation improve or hurt the CISO position? I think both. 

It will elevate the awareness of cybersecurity in the boardroom as it requires there to be:

  • Cyber Risk Knowledgeable Board Oversight 
  • Defined Cyber Risk Processes
  • Timely Disclosure of Breaches (4 days)

With the SEC monitoring over 12,000 public entities, Boards can no longer ignore cybersecurity.  Investors and consumers will be more informed about the cyber health of public companies. 

Therefore, the target on the CISOs back just got bigger and more visible.

Learn how to hire a great CISO with our Insider’s Guide.


They will need to develop public-facing cyber policies that the board will need to agree to and adhere too.  Boards will add CISO oversight as a watchdog and for compliance to cyber policies and reporting. 

In addition, CISOs will be held accountable for quickly discerning the impact of cyber events and the information which needs to be disclosed, plus how and when it is reported and communicated. 

In the short term, the CISO position will be burdened with establishing new processes and procedures to meet SEC expectations. They will also have to communicate it and get buy-in across the organization. 

In the long term, the new SEC requirements should provide additional visibility that CISOs need.  Maybe it will help the rest of the executive team take cyber risks as seriously as the CISO does.


At Fortify Experts, we understand the challenge of finding and hiring a CISO that fits your company’s goals. That’s why we’re committed to helping executive leadership teams find the right CISO for their organization and have developed a step-by-step guide on how to hire a great CISO who meets your firm’s expectations.

Request your free copy of How to Hire a Great CISO by Fortify Experts today and take the first step towards establishing a strong security program for your organization.