With two major actions in the last six months of 2023, the Securities and Exchange Commission (SEC) has made it clear that it plans to get tough on cybersecurity. As a result, chief information security officers (CISOs) and their teams will need to expand their focus from the battlefield to the boardroom, as the threat landscape emerges more than ever as a business concern first and foremost.
The SEC in July announced the implementation of rules (that went into effect December 18) requiring the disclosure of “material” threat/breach incidents in four days, as well as annual reporting on cybersecurity risk management, strategy, and governance.
And in October, the SEC charged Austin, Texas-based software company SolarWinds Corporation and its CISO, Timothy G. Brown, for fraud and internal control failures. The SEC contends that SolarWinds disclosed “only generic and hypothetical risks” in formal filings, at the same time Brown and other executives/employees knew of specific issues impacting SolarWinds’ security, along with increasingly elevated risks.
This is the first time that the SEC has brought cybersecurity enforcement claims against an individual, as well as intentional fraud charges in a cybersecurity disclosure case, according to White and Case, an international law firm specializing in corporate, financial, and government legal counsel.
The SEC developments could have the greatest impact on corporations since the Sarbanes-Oxley Act of 2002, which mandated the governance, risk management, auditing and financial reporting of public companies, with provisions that punish corporate accounting fraud and corruption. They combine to make a compelling case that all leaders need to support a systematic change. CISOs must empower themselves as consultants and risk mitigators, to drive their entire organization’s increased involvement in – and willingness to take greater responsibilities for – cybersecurity.
CISOs are at an important crossroads. Because of the existing scope and scale of ransomware and the growth of cybercrime, this is no time to stop paying attention to incident detection and response (IDR). CISOs must examine IDR processes and adopt aggressive target metrics such as zero dwell time while they shift their mindset and approach from one of adversary-oriented to risk management and business-oriented.
Here’s how they can respond to the recent developments in ways that comply with the SEC requirements, and actually help their companies emerge as smarter and better protected organizations:
Elevate cybersecurity risk management to a CxO business function
Make cybersecurity risk management like all other business risk management. It’s inherent to the management of any profit and loss (P&L), and a top-level priority for culture and governance. Delegating cybersecurity risk management accountability and responsibility to a CISO role that has neither budget nor authority to appropriately manage risk is a major contributor to the risk gap that plagues both private and public enterprise. CISOs play an important advisory role in elevating cyber risk management to the C-suite executive colleagues and board members, and accountability for culture governance of risk management activities belongs at the top of the organization.
Set aggressive metrics for cybersecurity improvement
The business adage that we can manage what we measure is truer than ever. CISOs can identify key performance metrics that matter and show risk gaps by setting aggressive targets for the “to-be” state. For example, if the average time to detect and respond to incidents is nearly 280 days, choose an aggressive target of less than 24 hours. What would it take to reach that metric? It’s a way to establish programmatic improvement that matters.
Commit to more transparency
Brown allegedly knew all about the SolarWinds issues and failed to disclose them, according to the charges, and now he and his company are paying the price. The SEC has overtly told corporations that they will place themselves in legal, financial, and reputational jeopardy for unreported breaches. In response, CISOs should ensure transparent and detailed reporting in 10-Ks and additional forms. Such transparency will create more awareness about threat trends – not just internally within an organization, but throughout industries as a whole.
Take a holistic – and business-centric – approach
CISOs and their teams must adjust from a “Whack-A-Mole” incident-centric mindset to one that focuses on a highly defensive posture that’s as much about business preservation as it is about protecting the network, systems, and data. They have to move toward a security-by-design architecture to dramatically reduce the potential materiality of an incident instead of saying: “We’re going to get hit and we can’t do anything about it.” As opposed to constantly going into battle with adversaries, they need to invest in safeguarding systems organizationwide to allow as little risk as possible.
Businesses must embrace the intention of the new SEC rules that encourage registrants to improve cybersecurity risk management from the boardroom to the C-suite. The SEC has clearly signaled an expectation that material cyber risk will be effectively eliminated and that they aim to normalize the transparency of cyber risk management and incident reporting. This attention to the cyber risk gap has been needed for decades. Instead of adopting a stance that “everyone’s been breached and this is too hard,” step-up to the challenge of adopting risk management practices that will significantly reduce harm from cybercriminals and bring cybersecurity to a well-managed business function. If it’s good for security, it’s good for business.
Karen Worstell, senior cybersecurity strategist, Carbon Black