23 NYCRR 500: Opening Day
It’s March 1st, and a long-anticipated and new set of cybersecurity standards of New York Department of Financial Services’ 23 NYCRR 500 begins to take effect starting today. The new regulation imposes a list of requirements for entities operating in the Financial Services industry. Among this laundry list is the requirement for each covered entity to have a designated Chief Information Security Officer (CISO). These CISOs will be responsible for overseeing and implementing their organizations’ cybersecurity programs as well as enforcing cybersecurity-related policies. In addition, CISOs will need to provide updates to the board of directors annually at minimum.
The Rise of the CISO-as-a-Service Offering
Recruiting cybersecurity professionals is already difficult, and it will become an even steeper challenge for small-to-medium sized enterprises in New York. The cybersecurity field already faces a massive talent shortage and unfilled cybersecurity positions are already estimated at nearly 1 million openings. It’s particularly difficult to identify and hire qualified CISOs: experienced applicants are a rarity in the industry, and a truly talented CISO needs both technical skills and business acumen. This shortage gives the advantage to big firms that offer up big salaries to attract and retain the truly qualified CISOs and other cybersecurity professionals. Unfortunately that also means most small-to-medium sized enterprises will be left scrambling for cyber talent. So what do you do when you need to put some runs on the scoreboard – you call in a pinch hitter.
The regulation does not, in fact, mandate the CISO role to be a full time position. In order to stay compliant with the regulation, many businesses will likely have to outsource the CISO role to a third party and many companies will be looking to big consultants and cybersecurity firms for that help. As these traditional firms get tapped-out, and as customer demand starts driving cost of services up, independent CISOs will likely pop-up and offer their expertise as a shared service. In both cases, what’s likely to occur is a CISO taking on multiple “accounts” simultaneously, responsible for the implementation and management of multiple cybersecurity programs. Unfortunately, splitting a CISOs time and responsibilities across multiple companies leaves a wider crack for things to fall through.
Defining the Balk
The DFS regulation states that, “Each Covered Entity shall designate a qualified individual responsible for overseeing and implementing the Covered Entity’s cybersecurity program and enforcing its cybersecurity policy…” The phrase “a qualified individual” is wide open for interpretation, leaving the chance of the role being improperly filled. Just like the balk is open to an umpire’s interpretation, organizations have the authority to determine and define which individuals are qualified for this CISO role. Unfortunately, many companies will simply want and need to check this box off so that they remain compliant with the regulations; even though it does not necessarily ensure that those organizations will move down the path towards cyber resilience.
One of the key requirements of 23 NYCRR 500 is that the designated CISO must provide a written cybersecurity policy to the board, or equivalent governing body if the company does not have a Board of Directors, on an annual basis. While this requirement is certainly worthwhile, it’s utility is dependent on the CISO’s business acumen and ability translate tech talk into board speak. It also requires the board a sufficient level of cyber literacy to properly understand, govern, and oversee the new cybersecurity strategy.
Stacking The Bench: Murderer’s Row 2.0
In 1927, the New York Yankees had such a stacked lineup of great hitters they became infamously known as “Murderer’s Row.” Today, New York City – like many other cities in the U.S. – has been looking to establish itself as the next hotbed of technology and innovation. While it’s likely not the intent of the regulation, 23 NYCRR 500 creates a forced demand for cybersecurity talent and provides a surefire way to attract cyber and technology professionals into the Big Apple. This will certainly give New York City a leg-up on the race to be the next big Tech Town and add depth and dimension to Silicon Alley. Unfortunately for other cities, 23 NYCRR 500 may act as a magnet and pull that talent away resulting in an even larger cybersecurity workforce gap.
CyberVista’s executive programs – either in a workshop setting or in your boardroom or executive suite – provide engaging content that will help you learn to manage cyber risk. If you are a senior business leader looking for cybersecurity solutions, you can start or continue your journey by requesting private training or by enrolling in our New York Cyber Resolve workshop scheduled for May 1st. Our programs also include a breach simulation that allows you to experience what it’s like to go through a cyber breach. Take your cyber literacy to the next level. Enroll today.