Its not easy for firms to understand how to comply with global security and resilience regulation; theres no single place where all regulation comes together and its often down to regional compliance teams and security leaders to interpret policies, which leads to a lack of joined up thinking and extremely siloed approaches.However, although there will always be nuances based on the geographical jurisdiction where a firm operates, there are several global regulatory themes emerging:Operational resilience and security are now as important as financial resilienceTransparency and timely reporting are keyFocus on foundational cyber controlsDo the right thing for your customers and the rest will follow.A number of regulations focus on the need to identify the most important services that a firm offers to their customer and markets and to make them secure above all else. Examples include the Building operational resilience regulations in the UK and the Digital Operational Resilience Act (DORA)in the EU.These regulations have come about because theres a belief that firms often focus on financial resilience, but outages caused by exploitation of vulnerabilities or operational failure were occurring too regularly and disrupting customers lives. There have been many examples of major outages in recent years caused by cyber as well as operational and supply chain issues, including Crowdstrike, WannaCry and multiple outages impacting the airline industry.Firms need to identify their most important services and protect the infrastructure needed to run them. This is typically achieved by working out how much harm would be caused by a service outage and then tiering services accordingly. The most important services should receive the most investment and protection.The Computer Weekly Security Think Tank on regulation and complianceMandy Andress, Elastic: Why CISOs should build stronger bonds with the legal function in 2025.When things do go wrong, regulators are keen to understand the detail. A number of regulations globally focus on the need to report security, cyber and resilience issues in a timely manner. Examples include the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) in the US, reporting requirements under DORA in the EU and breach notification for privacy related incidents globally, such as under the GDPR.Firms should make sure that they can report cyber and operational incidents in a timely manner, including understanding who will draft and approve the notification and who will liaise with each regulator. Regulators then need to be kept informed as the incident progresses, including what the organisation is doing to resolve the incident.Each jurisdiction may have different timescales for reporting and so keeping a log of regulations and reporting requirements (updated at least monthly) is important. There are tools that can automate this which might reduce the effort required for large global organisations to keep up-to-date with regulatory reporting requirements.Some jurisdictions are heavily endorsing a focus on foundational cyber controls. For example, in the US any firm that wants to offer cloud services to the federal government needs to be certified under the FedRAMP scheme to ensure that baseline cyber controls are in place.Recognised standards such as ISO27001 and NIST CSF have become a focus for firms who want to demonstrate that they are continually improving their cyber controls. They are also useful for board reporting where members of the board need to understand their firms relative cyber maturity.Firms should be reviewing the maturity of their cyber controls at least annually and against a recognised standard. This is just as important for non-technical controls; for example, making sure that teams are trained to spot phishing attacks, that theres regular exercising and simulation for incident response and that cyber and resilience leadership behaviours are fully aligned with protecting the firm and its customers.Looking ahead to 2025, and beyond, in cyberMike Gillespie and Ellie Hurst, Advent IM:CISOs will face growing challenges in 2025 and beyond.Elliot Rose, PA Consulting:The most pressing challenges for CISOs and cyber security teams.Pierre-Martin Tardif, ISACA:Six trends that will define cyber through to 2030.Stephen McDermid, Okta:In 2025: Identities conquer, and hopefully unite.Deepti Gopal, Gartner:CISOs:Don't rely solely on technical defences in 2025.Paul Lewis, Nominet:Decoding the end of the decade: What CISOs should watch out for.Rob Dartnall, SecAlliance:2025-30: Geopolitical influence on cyber and the convergence of threat.Elliott Wilkes, ACDS:Look to the future: How the threat landscape may evolve next.Its implicit in most new regulations that a focus on protecting customers will lead to better security outcomes overall. Some jurisdictions have gone further and released regulation to protect these outcomes (such as Consumer Duty in the UK Financial Services industry).Often when the worst happens, how a firm helps its customers to deal with the disruption is a crucial (but often forgotten) part of the response. The aftermath of a cyber-attack can last for months and years with the almost inevitable investigations, (some driven by regulatory requirements) that follow.Whilst the old saying always bank with a bank thats just been robbed might be a little contrived, there is an element of the anti-fragile in that, a firms operations gain strength by being stressed from time to time. Firms are often judged on the strength of their response to customers and markets; those that get it right are often able to emerge stronger and more resilient.Governments are always keen to emphasise the importance of reducing regulatory burdens and nobody can argue that regulation shouldnt slow innovation. However, theres a general perception that the public, consumers and markets have been under-protected from cyber and operational impacts and regulators are now addressing these concerns. This means were unlikely to see the focus shift away from cyber, operational resilience and supply chain regulation any time soon.Adam Stringer is head of cyber, privacy and operational resilience in financial services atPA Consulting