WE ARE AT AN INFLECTION POINT WHERE CYBERSECURITY WILL BE VIEWED AS A KEY FACTOR OF BUSINESS AND NO LONGER AN IT NUISANCE.
A number of key events over the last month have given me pause, lit a spark of excitement, and taken my breath away with dread at the body of work ahead of so many in my profession. I’m also an optimist and believe that we, as information security professionals, have the opportunity to fundamentally improve the way that businesses and the marketplace function and make consumers safer as a result. We can do this by stepping into our roles as business leaders and offering pragmatic, sustainable, and adaptable solutions to a burgeoning risk to companies of all sizes and industries.
The stone that tips the scale?
The Securities and Exchange Commission (SEC) introduced a proposed rule in early March that would enhance and standardize the requirements for cybersecurity risk management, governance, strategy and incident reporting for all publicly traded companies in the United States. This is a really big deal… and has the potential for far reaching ripple effects from reporting structures of organizations to the investor community to the focus in higher education.
The SEC summarizes a key desired outcome:
“Consistent, comparable, and decision-useful disclosures would allow investors to evaluate registrants’ exposure to cybersecurity risks and incidents as well as their ability to manage and mitigate those risks and incidents”. – FACT SHEET Public Company Cybersecurity; Proposed Rules
Let’s break this down:
- Consistent, comparable and decision-useful disclosures:
Information Security teams will now have a consistent voice at the Management (with a capital M), Board, and investor level. With this megaphone comes the obligation to communicate in the simplified and understandable language of business.
These disclosure obligations and the potential implications include:
- Reporting cybersecurity incidents within 4 business days of the event being deemed material. 4 DAYS. Companies will not be able to sit on information about cybersecurity incidents or release at a strategic and reputation/brand impact minimizing time. 8-Ks are noticed in the investor community and will bring the awareness and impact of the realized risk closer to the actual security incident
- Periodic disclosures regarding the company’s Information Security program, including: policies and procedures, Management and Board capabilities, and updates on previously reported incidents. These periodic disclosures will communicate the ongoing focus and relative prioritization of information security within the organization. It will show if an organization is maintaining its cyber hygiene with the evolving threat landscape or skipping the proverbial “dentist check-up” just because they don’t have a major toothache, thereby potentially unaware of an undetected issue.
- Disclosure in a standardized format (XBRL) will allow for more direct comparison from company to company. Currently, investors or outsiders must sift through Management’s statements within their annual reports and interpret their varied language used to describe cybersecurity risk. The hope of this standardized format is to reduce subjectivity and interpretation bias.
- Allow investors to evaluate…exposure to cybersecurity risks and incidents:
This is potentially the most impactful statement as investor sentiment and perception of risk exposure draws a direct line from cybersecurity risk to share price. The way that corporate America is set up today, this will make cybersecurity a very real priority for C-suite executives as it could have a more direct impact on their compensation and their jobs.
The flip-side of this statement implies that the investor community will need to increase their cybersecurity acumen to be able to better interpret and evaluate the scale and likelihood of these risks as well as the impact of these incidents. It will drive improved communication and understanding of the topics from both directions (company communications to the public, and investor response).
- [Allow investors to evaluate a company’s] Ability to manage and mitigate those risks and incidents:
Information security and cybersecurity risk management is a never-ending process – not a “once per year compliance activity”, a final step in a product life cycle, or a roadblock to business objectives. Requiring periodic reporting and an evaluation of how well a company is managing risk will accelerate the infusion of security and privacy principles throughout an organization. It could also provide an opportunity for companies to differentiate themselves from their competitors through the maturity of their information security capabilities and associated risk mitigation.
So what and what’s next?
This is such a big deal because it fundamentally expands the responsibilities and obligations of Management and Boards of Directors for publicly traded companies. Their fiduciary duty and obligations to shareholders related to cybersecurity risk can no longer be delegated, and ignorance of the subject matter will no longer be a secret. The grassroots efforts of information security practitioners have had varying degrees of success over the past decades, but this top-down obligation will likely drive a step-change.
The details released are still just a set of proposed rules and amendments that may not be adopted in the current form. The final language of these rules and amendments as well as the adoption/implementation (observed through the level of enforcement by the SEC) will be the true measure of the impact. That said, I personally believe this is more a matter of “when” and not a matter of “if” these cybersecurity rules are adopted and become a common expectation for all publicly traded companies in the US. I will provide an update or a new post following the conclusion of the comment period in May.
What can/should I and my company do about this?
As with anything that you want to make stick, my recommendation is to start small, identify and celebrate early victories, and put this into a desired outcome using terms and timeframes that you understand and make sense for your situation.
For security practitioners, I encourage you to practice communicating what you do, why it matters, and what makes you interested in it to your friends, family and extended colleagues. Avoid using jargon and practice putting your ideas into language that your grandmother would understand. Share your knowledge, recommendations, and tips so that everyone can “level up”.
For non-security professionals, I encourage you to re-read your security and privacy policies and procedures for your company (and actually consider the words, don’t just skim and acknowledge to be ‘compliant’). If you don’t know if your company has security or privacy policies, ask your leadership, ask your IT help desk, search your company’s intranet. Get to know the information security professionals in your organization and ask them about what they’re working on and what keeps them up at night. Ask them questions and help them to help you understand how your job is related to information security and the cybersecurity risk to the organization. Follow CISA on LinkedIn, Twitter, or Facebook.
For company management, familiarize yourself with a few of the industry frameworks for cybersecurity starting with the NIST Cybersecurity Framework or the Center for Internet Security (CIS) Critical Security Controls. If you don’t already have an Information Security team, establish one, even if it is a “virtual team” of like-minded and capable individuals. If you don’t have a clear plan or strategy around Information Security, set the appropriate Implementation Group of the CIS Controls as your target and start talking about what it will take to get there.