The existing state of regulation

Welcome to the CISO Perspectives Weekly Briefing, where we break down this week’s conversation, providing insights into relevant research and information to help you further understand the topics discussed.

At 500 words, this briefing is about a 4-minute read.

Deregulating standards.

For years, the federal government has served as a leading pillar for establishing and imposing cyber regulations. These regulations have been imposed to support critical infrastructure, recover from incidents faster, and improve national security and stability.

However, as is common with changing administrations, previous regulations and policies are changing in regard to both requirements and enforcement. For the second Trump administration, these changes have resulted in a dramatic policy shift that prioritizes removing regulatory barriers and placing greater responsibility on businesses and state governments for securing cyberspace.

One of the greatest indicators of this change was the dismissals of the Cyber Safety Review Board (CSRB).

The CSRB was originally established under the former Biden administration and acted as a public-private partnership that aimed to review major cyber incidents to help identify lessons learned and recommend improvements for both governmental bodies and organizations. Some of the major events the CSRB helped address included:

• Log4j Vulnerability
• Lapsus$ Hacking Group
• 2024 Microsoft Exchange Hack

However, shortly after taking office, the Trump administration quickly moved to dismantle the organization. When making these changes, the administration stated that these committees were no longer focused on their initial directives and that future efforts would “be focused solely on advancing [their] critical mission to protect the homeland and support DHS’s strategic priorities.”

Alongside removing the CSRB, the administration has also made substantial cuts to the Cybersecurity & Infrastructure Security Agency (CISA). For CISA, the Trump administration has cut roughly 1,000 jobs, which represents nearly one-third of the agency’s workforce, and has proposed cutting nearly $495 million from the agency’s budget. 

These cuts, targeting both funding and expertise, represent how the Trump administration views federal cyber efforts. Rather than leading efforts, the Trump administration seeks to have state and local governments take greater responsibility, arguing that this will create a more responsive and effective management system.

The value of regulations.

Regardless of whether or not these changes are positive, they have yet to fully materialize. Nonetheless, security leaders need to understand what is changing and how these changes are going to impact security capabilities and existing resources.

As federal cyber capabilities are reduced, these changes will require organizations to look for, hire, or partner with new resources to still get reliable expertise and insights on the latest security capabilities and threat knowledge. Additionally, leaders should understand that the previous federal resources that served to support organizations in the wake of a breach are not as robust as they once were. While some state and local governments may be able to fill this void, these changes happened relatively recently, and many states are unlikely to develop these resources rapidly, especially considering that state budgets are far more constrained.

Given this reality, security leaders must be prepared to face a cyber landscape without the institutions that have previously existed for years. By accounting for and adjusting accordingly, organizations can minimize risks and ensure they have the resources necessary to succeed in this new environment.