By Tim Callahan
Global CISO, Aflac
Chair, NTSC Board of Directors
Today, more and more CISOs report to the CEO, General Counsel, or Board of Directors—reflecting the growing importance and evolution of the CISO role. However, while CISOs may have become more prominent within their own businesses, that prominence hasn’t necessarily translated to public policy. At any given time, our government is drafting and passing a variety of cybersecurity legislation and regulations that will affect our businesses.
One example is national data breach notification legislation. The costs of planning for and responding to a data breach continue to increase in the United States because we currently have separate data breach notification laws for each of 48 states plus the Virgin Islands, Guam, Puerto Rico, and the District of Columbia. Plus, different industries such as financial services, healthcare, and insurance have specific data breach notification requirements. A national data breach notification law would eliminate excess, redundant laws by providing uniformity and predictability—strengthening security requirements while lowering the cost of notification.
Another, more contentious, example is encryption. Is it good public policy to require encryption as a cybersecurity solution, or is it better public policy to require an effective means to protect data and leave flexibility about the way to get there? The encryption debate gets emotional for some when law enforcement wants a backdoor for investigations—which may help law enforcement but possibly weaken overall data protection efforts.
These are just two examples of the many national cybersecurity policy issues that I think I’m more able to impact through the National Technology Security Coalition (NTSC). As Board Chair and an NTSC member since the group’s inception in January 2016, I believe that CISOs need to get more involved in the public policy process through a group like the NTSC.
Participation in our inaugural NTSC National CISO Policy Conference is an important step in that direction. This conference offers CISOs and other cybersecurity stakeholders a national platform to discuss important cybersecurity policy issues and generate insightful input that we can use to influence public policy at its early draft stages. The NTSC actively lobbies in Washington D.C. and members regularly communicate with lawmakers and policymakers. Your participation at this conference and with the NTSC really does make your voice heard.
If you’re a CISO, then I hope to see you at this conference. We can’t change national cybersecurity policy alone. With a broad membership of CISOs covering many different industries and companies, we approach important cybersecurity policy issues with a non-partisan, holistic, practical viewpoint. We’re uniting the voice of the CISO across diverse industries and companies under one organization to present our ideas, concerns, and guidance to policymakers.
I encourage you to become a part of our efforts. If you are not a member of the NTSC, then the inaugural NTSC National CISO Policy Conference is a great way to get introduced to our mission and CISO community. Together, we can leverage the growing voice of the CISO within our companies and work on amplifying that voice at a national level to do our part in protecting our companies and the nation from the ever-growing cyber threat.