How could organizations better support the CISO and the security function going forward? What organizational changes would reduce burnout risk for cybersecurity leaders (and are you hopeful that we’ll see such changes in the coming years)?

There's going to be a lot of change in the coming years, especially with new regulations. Organizations need to be clear about the support needed for cybersecurity functions. It's about articulating the risk of doing nothing, but also the risks of doing something. As a leader, you need to explain what the risks are to the business. For example, if we make $10K/hour on online sales during Christmas time, that can cost us $50K/hour if we go down due to a cybersecurity incident.

CISOs now have a lot of leverage, especially in public companies. The SEC is tired of being lied to by cybersecurity companies that claim they have security when they don't. It's now mandatory to report risks and governance to the SEC. If you lie or exaggerate the truth, there are serious consequences.

We have to run our security programs more like an actual business unit. We need to move our security programs into more data-driven analysis. Having good key risk indicators, especially around coverage metrics, is crucial. We also need to talk more about risk acceptance. That's a perfectly viable outcome, especially in a public company environment, if it's appropriately disclosed.

Even if your company does not have an Enterprise Risk Management program, you should have a cybersecurity risk program. Partner with your governance risk and compliance person. Cyber liability insurance also has deep assessments of your company now and aligns them with the risk tolerance. This can help with your budget.