A coalition of over 40 chief information security officers (CISOs) from leading companies, including Salesforce, Microsoft, AWS, Mastercard, and Siemens, sent a letter to the G7 and OECD, urging them to take action on aligning international cybersecurity regulations. This move signals a strategic shift: CISOs are no longer only responsible for internal controls but are now calling for change on the geopolitical stage.
This indicates a new phase of collaboration between CISOs and a new phase in cyber leadership, where CISOs are acting collectively across industries and borders, speaking directly to heads of state and global institutions, and demanding political — and not just technical — solutions to systemic cybersecurity risks. Cybersecurity has thus become a global governance challenge.
The letter comes at a critical time. Security teams are facing growing regulatory complexity, with new rules emerging in different countries such as the US, the UK, EU countries, Australia, and beyond with industry- or vertical-specific guidelines and requirements. These rules often contradict each other, adding complexity for security teams, slowing incident response, and draining resources that should be going toward defense, not documentation. This underlines that CISOs are operating in the era of regulatory FOMO.
This letter stands out because it combines public advocacy, policy specificity, multinational representation, and a direct call to the most influential global regulators. It is the first coordinated global policy intervention by CISOs of this scale. The CISOs are not lobbying for reduced oversight. Instead, they are calling for smarter, harmonized regulation to allow for faster incident response, better international collaboration, and more efficient use of strained security resources.
Cybersecurity leaders are no longer just bracing for regulation. They realize regulation is inevitable but that influence over it is still up for grabs, so they are jumping on the opportunity to guide the rules rather than be steamrolled by them. Here’s what you need to know and what you should do next:
Prepare for this letter to result in absolutely no changes. Good intentions are rarely enough when it comes to government action, so prepare for the likely reality that this letter will not have a demonstrable effect on global regulatory policy. Continue what you are doing. The geopolitical risk team and security team must work closely together to map regulatory exposure and build harmonized controls. Catalog regulations that apply to your business, identify regulations overlap, and simplify where you have redundancies or gaps. Design a harmonized control framework where you standardize risk and control language to build toward global audit readiness.
Expect global regulatory disharmony. Despite this letter, the world continues to move away from regulatory convergence. For example, there’s demand worldwide to rely on encryption and other safeguards to transfer personal data from Europe to the US, but the UK is asking tech companies such as Apple to build backdoors and provide government access to users’ data on demand — which is at odds with idealized global standards. In the US, the current administration is deprioritizing consistent, national cyber policies and shifting the responsibility to individual states. The regulatory patchwork won’t go away overnight, but leaders can harmonize their own requirements by rationalizing their security controls and aligning them to common regulatory obligations while standardizing on a common control framework.
Get the board and the business behind you. Regulatory risk is a strategic issue, not just a security or compliance one. The open letter to the G7 is a timely tool to raise visibility at the top. Use it to brief your board or executive team on why global cyber regulation is diverging, what operational risks this introduces, and how harmonized controls and proactive alignment have the potential to reduce costs associated with compliance. Board and C-suite backing delivers additional influence and attention to the issues raised in the letter, with government entities involved with decision-making at the policy level.
Regardless of the initial outcome, support the global effort. Don’t just observe; participate. If you want your voice to be heard in the next phase of cyber policymaking, you must be in the rooms and peer networks pushing for change. Take a more active role in public policy discussions. If you haven’t already joined working groups through ISACs, industry councils, ENISA, or national cyber alliances that engage with regulators, find the org that best fits you and your organization’s needs and get involved. If your organization has already signed the open letter, amplify it. If not, consider how you can support the momentum through your own communications and peer interactions.
