Author: Kayne

Since the 1990s, security convergence evolved from merging physical and network security into integrating physical, digital, and operational security. Initially, organizations combined controls to address risks from siloed measures. In the 2000s, connections between physical systems and IT security led to unified governance frameworks. By the 2010s, convergence became holistic, driven by cloud computing and mobile devices. Today, a unified framework aligns all security domains, integrating controls for cloud services, IoT, and industrial systems. Looking ahead, convergence will leverage AI, machine learning, and predictive analytics to enhance threat detection and response, while privacy regulations like GDPR and CCPA shape measures to protect user privacy.

Integrating AI and cloud technology is reshaping auditing processes, requiring GRC and cybersecurity professionals to adapt to new tools that centralize risk and compliance activities. This shift improves efficiency and accuracy in audits, allowing for real-time monitoring and streamlined workflows. Companies increasingly use AI-driven solutions to automate routine tasks, such as data analysis and cybersecurity anomaly detection, freeing up professionals to focus on more complex issues. Globally, auditors are expected to implement AI tools for tasks like sampling, risk identification, and data analysis. While this may increase audit efficiencies, audit clients are likely to ask for cost concessions.

Kayne McGladrey, Field CISO at Hyperproof and Senior IEEE Member, says cybersecurity is also fertile ground for AI. “CISOs are looking at AI and automation solutions that handle common cybersecurity tasks. These include collecting evidence of control operations for the internal audit team, testing that evidence automatically, and producing regular reports on such things as false-positive cybersecurity events. These tasks help overworked cybersecurity analysts and engineers to focus on the parts of the job that they love without burdening them with excessive paperwork.”

It’s time we heard from people who live and breathe cybersecurity. Join me as we discuss the highs and lows of working in this industry, the topics that need clarifying, and those that need the B.S. removed. Kayne is active in the community and has offered some GRC maturity models to help anyone.

“Overwhelmed employees may become discouraged, leading to security nihilism, where they feel that breaches are inevitable and give up on maintaining security measures,” McGladrey said. “This can result in a lack of communication about potential threats, making it harder for security teams to respond effectively.”

“Companies should conduct thorough risk assessments to identify and mitigate potential harms associated with AI products, understanding their limitations and potential misuse,” McGladrey said. “Maintaining clear documentation of AI system metrics and methodologies, along with disclosing any known risks or limitations to customers, is essential for transparency.”

“To protect their personal data, consumers can take several practical steps to remove their information from data broker websites and opt-out of marketing. First, they should identify where their data is held by searching major data broker sites, public records, and credit reports. Once identified, consumers can use the “Opt Out” or “Remove My Data” links provided on these websites to submit removal requests, ensuring they confirm their identity and track the progress.

Additionally, they should familiarize themselves with regulations like the California Consumer Privacy Act (CCPA), which allows them to request the deletion of their personal data and opt-out of its sale. Consumers can also use online tools and services designed to automate the opt-out process from marketing lists and data brokers.

If approved, the proposed new HIPAA rules will reshape the landscape of healthcare cybersecurity, partially addressing the recent OIG report’s findings on the ineffectiveness of current HIPAA audits. For CISOs, these changes present both opportunities and challenges as they work to enhance their organizations’ cybersecurity practices. The updated compliance requirements for electronic protected health information promise significant benefits but also come with associated costs. As these rules are open for public comment over the next sixty days, healthcare CISOs have a window to provide their insights and influence the final regulations, ensuring they align with the practical realities of safeguarding sensitive health data.

As 2025 approaches, emerging regulations and laws will affect how CISOs strategize and protect their organizations. With the increasing complexity of global compliance frameworks, understanding these changes is crucial for maintaining security and operational efficiency. Let’s discuss what I expect regarding regulatory shifts and their implications in 2025 and explore what CISOs and CCOs should prepare for in the coming year.

At issue is whether the incident led to significant risk to the organization and its shareholders. If so, it’s defined as material and must be reported within four days of this determination being made (not its initial discovery). “Materiality extends beyond quantitative losses, such as direct financial impacts, to include qualitative aspects, like reputational damage and operational disruptions,” he says. McGladrey says the SEC’s materiality guidance underscores the importance of investor protection in relation to cybersecurity events and, if in doubt, the safest path is reporting. “If a disclosure is uncertain, erring on the side of transparency safeguards shareholders,” he tells CSO.

Kayne McGladrey, IEEE senior member and field CISO at Hyperproof, said AI ethics skills are important because they ensure that AI systems are developed and used responsibly, aligning with ethical standards and societal values.

“Compliance with regulatory standards and industry-specific guidelines for product security is an indispensable part of cybersecurity. In an age where malicious AI poses a significant threat, how do organizations ensure their product security strategies are not just effective, but also fully compliant? As a part of this series, I had the pleasure of interviewing Kayne McGladrey.”