CRF

LOGIN

Understanding the Risk Management Mandates in 2024 Cybersecurity Regulations

Coder using computer

Speaker: James Tarala
Event: SANS Webcast
Date: December 4, 2024
Watch on YouTube: https://www.youtube.com/watch?v=hIqP1i3e99k 

Introduction 

With the evolving cybersecurity landscape, organizations must adapt to new risk management mandates outlined in 2024 regulations. In this SANS webcast, James Tarala provides an in-depth analysis of key regulatory changes, explaining how organizations can comply effectively while improving security posture. 

James Tarala emphasizes that risk management is no longer optional—governments and regulatory bodies now require clear, structured risk assessment processes that align cybersecurity efforts with business objectives. 

 

Key Takeaways 

  • Cybersecurity risk management is a core regulatory requirement in 2024, with mandates expanding across industries. 
  • Three primary definitions of risk assessment emerge from regulations:  
  • Risk-based safeguard selection – Using risk management to determine which security controls are needed.
  • Vulnerability-based risk prioritization – Leveraging risk models to prioritize remediation efforts.
  • Safeguard validation – Ensuring security controls are effectively implemented and monitored. 
  • Regulatory frameworks increasingly emphasize third-party risk management, requiring businesses to evaluate supply chain security. 
  • Automation and structured governance improve compliance—organizations must move beyond ad hoc security processes.

 

The Growing Complexity of Cybersecurity Regulations 

Cybersecurity regulations have expanded significantly in recent years, with governments pushing for proactive risk management rather than reactive security measures. 

Key regulatory trends include: 

  • Greater accountability for executives and board members in managing cybersecurity risks. 
  • Increased expectations for structured risk assessment and reporting. 
  • Prescriptive requirements for third-party risk management, ensuring supply chains meet security standards. 
  • More frequent cybersecurity audits and compliance assessments.

James Tarala explains that organizations must shift from compliance-focused security to risk-driven governance to keep up with these changes.

 

The Three Definitions of Risk Assessment 

Different regulations define risk assessment in varying ways. Understanding these definitions helps organizations align their processes with compliance requirements.

  1. Risk-Based Safeguard Selection
  • Used to determine which security controls should be implemented. 
  • Aligns with frameworks like NIST 800-30, CIS Controls, and ISO 27001. 
  • Often referenced in regulatory mandates but rarely implemented formally. 
  • Most organizations rely on industry frameworks instead of custom risk models. 
  1. Vulnerability-Based Risk Prioritization
  • Focuses on using risk assessment to prioritize patching and vulnerability remediation. 
  • Common in PCI DSS, NYDFS 500, and financial sector regulations. 
  • Requires organizations to use vulnerability scanners (e.g., Tenable, Rapid7, Qualys). 
  • Often confused with broader risk management strategies, despite its limited scope. 
  1. Safeguard Validation
  • The most common regulatory expectation: Ensure implemented security controls are working effectively. 
  • Found in NIST CSF 2.0, SEC regulations, and global cybersecurity mandates. 
  • Requires structured internal audits, penetration testing, and compliance tracking. 
  • Often tracked through governance, risk, and compliance (GRC) platforms or structured assessments.

 

Expanding Focus on Third-Party Risk Management 

Regulations increasingly require organizations to assess not just their own cybersecurity posture but also that of their vendors and third-party service providers. 

  • Third-party assessments must evaluate supplier security, contractual obligations, and risk exposure. 
  • Organizations need structured vendor risk management programs to comply with mandates in NYDFS, SEC cybersecurity rules, and NIS 2.0. 
  • Risk assessment frameworks should extend to supply chains, incorporating continuous monitoring and contractual security clauses.

 

Tools and Automation for Compliance 

To keep up with evolving regulatory mandates, organizations must move toward automated risk assessment and structured governance frameworks. 

Recommended tools and strategies include: 

  • Governance, Risk, and Compliance (GRC) Platforms (e.g., ServiceNow GRC, OneTrust, Aramba). 
  • Excel-based risk assessment templates for small and mid-sized organizations. 
  • Automated vulnerability management and attack surface tracking (e.g., Axonius, RunZero). 
  • Business intelligence tools for compliance dashboards (e.g., Power BI, Tableau). 
  • Structured risk registers to track security control effectiveness over time.

 

Actionable Insights 

  • Understand regulatory expectations. Determine whether your organization must conduct risk-based safeguard selection, vulnerability management, or safeguard validation. 
  • Develop a structured risk assessment process. Move beyond compliance checklists—focus on measuring security effectiveness. 
  • Prioritize third-party risk management. Ensure that suppliers and service providers comply with cybersecurity mandates. 
  • Leverage automation for risk tracking. Use GRC tools, business intelligence dashboards, and security analytics to manage compliance efficiently. 
  • Report cybersecurity risks at the executive level. Leadership must be informed, accountable, and involved in cybersecurity decision-making.

 

Conclusion 

Cybersecurity risk management has become a regulatory imperative, requiring organizations to move beyond reactive compliance and adopt structured risk governance. 

By understanding regulatory expectations, leveraging automation, and improving third-party risk assessments, organizations can ensure compliance while strengthening security defenses. 

 

For more insights on this topic, watch the full webcast here.