Drafting Compliance S1, E2: The FedRAMP Authorization Boundary

of a growing number of regulations, today’s CISOs and their team members are spending a lot more time responding to questions about their security programs. Providing answers — whether to internal compliance teams who need the information to fulfil legal obligations or external business partners who want assurances — is now an expected part of the modern security department’s responsibilities. Yet it’s not the most effective use of worker time. “It’s not only frustrating, but it also sucks up a lot of time,” says Kayne McGladrey, a senior member of the Institute of Electrical and Electronics Engineers (IEEE), a nonprofit professional association, and field CISO at Hyperproof. There are strategies for meeting security’s obligations to provide information without tying up CISOs and their teams too much, he and others say. McGladrey says automation is one such strategy, saying that “evidence of control operations should be automated, and evidence of effectiveness can also be automated.”

In this live episode of the Virtual CISO Happy Hour, our cybersecurity experts discuss the critical steps companies must take to navigate the complex landscape of data privacy. They discuss the importance of establishing regular data inventories and minimization efforts to ensure that only business-critical information is retained, thereby reducing the attack surface for threat actors.

The conversation shifts to the pitfalls of treating privacy audits as one-off events rather than ongoing processes. Our experts argue for the automation of data control operations and the continuous evaluation of their effectiveness, which is crucial for maintaining compliance and achieving certifications like ISO or SOC 2.

The episode also tackles the misconception of ‘cyber risk,’ advocating for a broader understanding of business risk and its real-world consequences. The discussion highlights the importance of aligning cybersecurity strategies with business KPIs and KRIs to effectively communicate the value of security measures to executives and boards.

Furthermore, they explore the role of CISOs in control design and effectiveness, emphasizing collaboration with CFOs to leverage their experience with regulatory compliance for more nuanced and effective control strategies. They also touch upon the significant cost savings that can be realized by reevaluating and updating corporate risk registers in response to changes in data storage and access patterns.

This episode is a must-listen for any professional involved in data privacy and cybersecurity, offering practical insights into making informed decisions that align with both security and business objectives.

AI can also help improve retention rates by making entry-level cybersecurity jobs “less dull,” says Kayne McGladrey, CISO and CIO of Pensar and a member of the IEEE. “We get people out of school, and they are excited to be on the team. Then, on their first day, they’re handed a checklist: here’s the things you will do and the order in which you will do them.”

“Compliance with regulatory standards and industry-specific guidelines for product security is an indispensable part of cybersecurity. In an age where malicious AI poses a significant threat, how do organizations ensure their product security strategies are not just effective, but also fully compliant? As a part of this series, I had the pleasure of interviewing Kayne McGladrey.”

“In 2024, the most significant cybersecurity surprise will be the widespread recognition that Chief Information Security Officers (CISOs) are primarily risk advisors, not risk owners. This distinction contrasts with some companies’ previous perceptions and the operational reality. With cybersecurity concerns such as data center vulnerability, cloud vulnerability, and ransomware attacks still being a top concern for business leaders in 2024, this distinction is important to keep in mind to ensure the success of corporate security. Business systems are managed by business owners, whose performance is measured based on the system’s effectiveness. Historically, some companies have incorrectly assumed that the CISO is responsible for authorizing or mitigating some of the risks associated with these business systems. This is a misconception. The business owner, likely the individual who has approved the business continuity plan or is most affected by operational disruptions, also bears the responsibility of deciding how to address each risk. While CISOs can identify and propose mitigation strategies for business risks related to cybersecurity, they do not and should not accept or authorize the mitigation of risks for systems outside their ownership.”

“In 2024, the most significant cybersecurity surprise will be the widespread recognition that Chief Information Security Officers (CISOs) are primarily risk advisors, not risk owners. This distinction contrasts with some companies’ previous perceptions and the operational reality. With cybersecurity concerns such as data center vulnerability, cloud vulnerability, and ransomware attacks still being a top concern for business leaders in 2024, this distinction is important to keep in mind to ensure the success of corporate security. Business systems are managed by business owners, whose performance is measured based on the system’s effectiveness. Historically, some companies have incorrectly assumed that the CISO is responsible for authorizing or mitigating some of the risks associated with these business systems. This is a misconception. The business owner, likely the individual who has approved the business continuity plan or is most affected by operational disruptions, also bears the responsibility of deciding how to address each risk. While CISOs can identify and propose mitigation strategies for business risks related to cybersecurity, they do not and should not accept or authorize the mitigation of risks for systems outside their ownership.”

CISOs now face substantial personal risks, as seen in cases like Uber and SolarWinds where the SEC has taken legal action against the security chiefs. The primary risk is both personal and professional liability for the CISO, according to Kayne McGladrey, field CISO at Hyperproof. The problem, however, is that boards unaware of the business risks from poor cybersecurity are unlikely to include the CISO in the Directors & Officers insurance policy. “This exposes CISOs to substantial risk,” McGladrey told Cybersecurity Dive.