Breach reporting has changed drastically over the past year. The conviction of former Uber CSO Joe Sullivan for actively taking steps to hidea 2016 data breach — and subsequently holding back from fully disclosing details when questioned — certainly fed into a cascade of mandatory reporting rules and a spotlight on the CISO and CSO roles, prompting many top security chiefs to investigate their own breach disclosure processes and cyber risk strategies. Most recently, the Securities and Exchange Commission (SEC) required that any material cybersecurity incident be reported within four days of the company determining its impact.
Reporting a breach and its anticipated impact on a company invites considerable scrutiny from regulators, the public and potential litigation. In certain instances, an organization may even have to provide technical details relating to how certain vulnerabilities were compromised, as stated in the Cyber Incident Reporting for Critical Infrastructure Act of 2022. Complying with regulatory disclosure requirements while balancing the need to protect the investigation and response efforts is not easy even on a good day. If an organization is impacted by multiple regulations across several countries or regions, a CISO is now maneuvering through a web of reporting, adding another layer of work to an already overstressed group of professionals. Gartner predicted earlier this year that almost half of cyber leaders will change jobs by 2025 and a full quarter will change career paths entirely due to the mental and emotional tollassociated with their job.