Governance, Risk and Compliance

Navigating the GRC landscape: Insights from Mark Weatherford, former deputy under secretary for cybersecurity

About this series: Ahead of Mandiant’s 2024 mWise event in Denver Sept. 18-19, we’re talking to security industry influencers about the current state of security—specifically the topics, challenges, and opportunities that are on the mWise agenda.

Mark Weatherford, former Deputy Under Secretary for Cybersecurity at the US Department of Homeland Security and former CISO for the states of California and Colorado, spoke with SC Media about the evolving challenges he sees in Governance, Risk, and Compliance (GRC) that today’s CISOs face.

He shares his perspective on the complexities of the regulatory environment, the critical need for continuous monitoring, and the transformative potential of AI and ML in enhancing cybersecurity operations.

He also reflects on the shifting stakes for CISOs over the years and offers valuable advice for the next generation of cybersecurity leaders.

Register for mWise 2024.

As someone who has been responsible for regulatory compliance as a CISO, and as someone who served in the Obama Administration, what are your thoughts on the current GRC landscape?

Weatherford: First off, the pace of the evolving threat landscape is staggering and staying up on new vulnerabilities, attack vectors, and sophisticated threat actors is a full-time job in itself. Secondly, the regulatory environment in some sectors is so complex that a CISO may need an entire team of people (including lawyers) focusing on understanding the regulatory environment just to keep up. Finally, integrating GRC is not trivial and requires a significant level of effort to work with, and across, all the responsible departments within a company.

Previous article in this series: Kymberlee Price: How (and why) I went from the CISO track to cybersecurity founder

My recommendation is to begin with a continuous monitoring mindset because that kind of visibility is table stakes for real-time insight into your security environment. Real-time visibility allows you to quickly identify gaps and then conduct the automated compliance, regular system updates, and vulnerability patching that a lot of organizations still find challenging. This is an area where AI and ML can really raise the bar for threat detection and response capabilities, and help to manage overall compliance more efficiently.

You have previously raised concern about the unintended consequences of over-regulation and the way those regulations are being crafted. Can you elaborate?

Well, mostly I worry that regulators, including legislators, don’t completely understand how complex the cybersecurity environment is and the challenges most organizations face on a daily basis. Most importantly, I try to help people understand that cybersecurity is not a one-size-fits-all terrain where what make sense in one company, may not make sense in another company. For example, in the electricity sector, availability of systems is literally the most important thing operators (and regulators) worry about since outages can affect millions of people. So, regulations that are more focused on say, integrity or confidentiality of data (which is still very important) at the expense of the availability of systems, is not only not going to be well-received, but also likely to be ignored completely which completely undermines the intent of regulation.

The answer of course is close collaboration between those creating regulations and the specific professionals working in the companies expected to comply with those regulations.

It’s a challenging environment for current CISOs and those on the CISO track. How have the stakes changed since you were a CISO?

Weatherford: When I began working in the information security arena back in the dark ages of the 1990’s, we were expected to be experts in everything related to security. Everything. Back then, I could draft policy, write firewall ACLs, create security scripts to make my life easier, and brief my CEO - all in one day. That’s impossible in 2024 simply because of the time required for a CISO to meet their daily obligations. Not only has the threat and vulnerability environment changed dramatically, the toolbox of technologies and services we use in our companies to address those threats and vulnerabilities has grown exponentially. I’m very uncomfortable when people call me an ‘expert’ these days because I know that there are many, many gaps in my knowledge about everything going on in today’s security environment.

So, while we are being challenged like never before and the CISO role has more responsibilities than ever, there is good news:

There are a tremendous number of opportunities to grow as a security professional by getting experience in the field and learning both new technologies as well as understanding what it means to be part of the executive team. The downside is that CISOs are often prematurely elevated to the role without the requisite cuts, scratches, and bruises that come with experience.

What should next-gen CISOs be doing to prepare?

Weatherford: Experience is everything. Education and certifications are great, but ask anyone hiring and the discriminator between being a mediocre CISO and a great CISO is almost always experience. In the Navy we called it, ‘miles on the dials.’ I think being a CISO is both critical but also a very honorable role because of the vast responsibility placed on the shoulders of today’s CISO. However, being an expert in just a tiny slice of cybersecurity without any significant experience in things like incident response, conducting risk assessments, vendor management, communicating with the board, and managing a team of professionals – among many other things – sets a CISO up for a mismatch in expectations. Of course, you can’t be an expert in everything but the more diverse experiences you have, the more qualified and valuable you will be to the company.

How should next-gen CISOs be thinking and preparing for the continuing intersection of AI and cybersecurity?

Weatherford: Learn as much as you can and think creatively. AI is the ultimate force multiplier IMHO and is going to help us in ways we can’t even begin to fathom yet. Being able to step outside our cybersecurity box and look from the outside-in with a problem-defining mindset will set CISOs apart from the crowd. I talk with people almost every day who have great ideas for how AI can help them in their cybersecurity jobs. That kind of creative thinking is what has always helped great leaders move to the front of the line quicker than others.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds