Blog

“Overwhelmed employees may become discouraged, leading to security nihilism, where they feel that breaches are inevitable and give up on maintaining security measures,” McGladrey said. “This can result in a lack of communication about potential threats, making it harder for security teams to respond effectively.”

“Companies should conduct thorough risk assessments to identify and mitigate potential harms associated with AI products, understanding their limitations and potential misuse,” McGladrey said. “Maintaining clear documentation of AI system metrics and methodologies, along with disclosing any known risks or limitations to customers, is essential for transparency.”

“To protect their personal data, consumers can take several practical steps to remove their information from data broker websites and opt-out of marketing. First, they should identify where their data is held by searching major data broker sites, public records, and credit reports. Once identified, consumers can use the “Opt Out” or “Remove My Data” links provided on these websites to submit removal requests, ensuring they confirm their identity and track the progress.

Additionally, they should familiarize themselves with regulations like the California Consumer Privacy Act (CCPA), which allows them to request the deletion of their personal data and opt-out of its sale. Consumers can also use online tools and services designed to automate the opt-out process from marketing lists and data brokers.

If approved, the proposed new HIPAA rules will reshape the landscape of healthcare cybersecurity, partially addressing the recent OIG report’s findings on the ineffectiveness of current HIPAA audits. For CISOs, these changes present both opportunities and challenges as they work to enhance their organizations’ cybersecurity practices. The updated compliance requirements for electronic protected health information promise significant benefits but also come with associated costs. As these rules are open for public comment over the next sixty days, healthcare CISOs have a window to provide their insights and influence the final regulations, ensuring they align with the practical realities of safeguarding sensitive health data.

As 2025 approaches, emerging regulations and laws will affect how CISOs strategize and protect their organizations. With the increasing complexity of global compliance frameworks, understanding these changes is crucial for maintaining security and operational efficiency. Let’s discuss what I expect regarding regulatory shifts and their implications in 2025 and explore what CISOs and CCOs should prepare for in the coming year.

At issue is whether the incident led to significant risk to the organization and its shareholders. If so, it’s defined as material and must be reported within four days of this determination being made (not its initial discovery). “Materiality extends beyond quantitative losses, such as direct financial impacts, to include qualitative aspects, like reputational damage and operational disruptions,” he says. McGladrey says the SEC’s materiality guidance underscores the importance of investor protection in relation to cybersecurity events and, if in doubt, the safest path is reporting. “If a disclosure is uncertain, erring on the side of transparency safeguards shareholders,” he tells CSO.

Kayne McGladrey, IEEE senior member and field CISO at Hyperproof, said AI ethics skills are important because they ensure that AI systems are developed and used responsibly, aligning with ethical standards and societal values.

“Compliance with regulatory standards and industry-specific guidelines for product security is an indispensable part of cybersecurity. In an age where malicious AI poses a significant threat, how do organizations ensure their product security strategies are not just effective, but also fully compliant? As a part of this series, I had the pleasure of interviewing Kayne McGladrey.”

Presented at the CIO & CISO Atlanta Summit

New Year, New Standards: Preparing for SEC Cybersecurity Disclosures in 2025 and Beyond

The SEC’s new cybersecurity disclosure requirements have set a new benchmark for transparency and accountability, compelling public companies to enhance their cybersecurity practices and reporting.

In this session, you’ll learn how to align your organizations with these evolving requirements and take proactive steps to stay ahead of regulatory expectations.
In this session, we’ll join Kayne McGladrey, Field CISO at Hyperproof, to discuss:

An overview of the 2024 SEC cybersecurity requirements
Best practices for cybersecurity disclosures
How to prepare for the 2025 disclosure season

The security industry can do a better job of promoting emerging technologies in security environments by linking their solutions to measurable outcomes that matter to CISOs. Those outcomes could be to either reduce sales friction or to show measurable progress in key risk indicators that board members care about. For example, while according to the recent “The Impact of Technology in 2025 and Beyond: an IEEE Global Study,” 48% of technologists said that the top application for AI in 2025 will be real-time cybersecurity vulnerability identification and attack prevention, vendors should still be prepared to explain how investments in their solutions can produce progress over time and support agreed-upon business objectives, outside of the technical benefits. Unfortunately, most emerging technologies primarily discuss technical benefits and features, not business outcomes. For example, if a CISO cares about multifactor authentication coverage, vendors should explain how their solution improves coverage and ties that to higher business resiliency. That would also reduce friction in B2B sales where a high degree of MFA coverage could be cited as a key control in a SOC 2 type 2 report, for example.

We chatted with Kayne about education systems security, funding for cyber tools and services, and what the future of education might look like to fill more cyber roles.

Cybersecurity failures were definitely in the news in 2024, but the year’s most serious issue — the outage at security vendor CrowdStrike, which affected millions of Windows systems around the world — wasn’t the result of a intentional attack, notes Kayne McGladrey, Field CISO at Hyperproof and senior member of the Institute of Electrical and Electronics Engineers (IEEE). It was caused by a flaw in an update of the CrowdStrike software. Yet it cost a wide range of companies, including airlines, public transit, healthcare and financial services, an estimated $5.4 billion.