How Are New SEC Rules Impacting CISOs?
We're seeing increasing regulations and legal responsibilities for CISOs. But are CISOs set up to succeed in meeting these within their organizations, and do regulators realize this?
This week’s episode is hosted by me, David Spark , producer of CISO Series and Steve Zalewski . Joining us is Allan Cockriel , CIO of global functions and group CISO, 壳牌 .
Striking a balance?
Changes in SEC rules have made it clear that organizations have to step up their breach notification process. However, it can be challenging for organizations to strike a meaningful balance between doing what’s right and not overwhelming regulators with noise from being extra cautious. "Boards of publicly traded companies are now on notice to over-communicate. It can be difficult in a public disclosure to provide enough detail to outline the risk without showing all of one's cards. Where's the balance in how much info to disclose?" said Jonathan Waldrop , CISO of The Weather Company . Of course, some argue that, given advanced threat actors' asymmetric advantage, there should be a much higher regulatory bar. Ted Heiman of CISO Guru made that case, saying, "The CISO is not Superman. They must contend with nation-state actors with nearly unlimited budgets, unlimited manpower, and unlimited MIPS. Holding CISOs accountable for a breach is ridiculous unless true negligence exists."
Will we see a talent exodus?
The new SEC rules clarify that CISOs won’t be off the hook. Many question if this will lead to a talent exodus in the position. "This sets a tone for how the SEC views unaddressed cyber risk and how they will prosecute it. There will be a mass exodus of CISOs. Companies without CISOs will lose investors, and then there will be a huge need for new CISOs," speculated Damian A. Golladay of Leonardo DRS . The main concern seems to be that these new rules don’t directly do anything to improve cybersecurity. Mike Pedrick of Nuspire said, "I appreciate the need for ethical behavior, but being overly heavy-handed with CISOs does not help the cause against external threats. Rather the opposite, when good CISOs find their way out of the industry in an abundance of caution and self-preservation."
Playing by the same rules
While these rules may mark a significant change for CISOs, some argue the rest of the C-suite has long accepted this responsibility. If CISOs want a seat at the table, this is the name of the game. "The CFO can't blame the CEO for knowingly fraudulent accounting disclosures, nor can the CISO on cyber disclosures. If the CFO reports to management and they still publish fraud, he must report it to law enforcement. CISO is no different," said Charles Herring of WitFoo . Rather than being seen as an external burden, these new SEC rules are what you accept with the role, as Jennifer Bayuk outlined, saying, "Sending in paperwork to the SEC is a regulatory requirement, and the individual has to sign the paperwork personally. The message for CISOs should be if you cannot personally vouch for living inside best practices when they ask you to sign, look for another job."
This is an organizational responsibility
One narrative we hear about the new SEC rules is that they make the CISO the easy scapegoat for an organization’s security failures. However, putting additional responsibility on CISOs doesn’t mean the rest of the organization is taking it easy. "No individual is on an island as a CISO. It takes a village, and there should be a heavy hand for not just the CISO but everyone involved, including C-level risk managers and especially the board of directors. The recent SolarWinds case shows a clear lack of oversight and due care by the management team,” said Bryan Becker of Class IV .??
Please listen to the full episode on your favorite podcast app, or over on our blog where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast , please go ahead and subscribe now. Thanks to SpyCloud .
Huge thanks to our sponsor, SpyCloud
Subscribe to Defense in Depth podcast
Please subscribe via Apple Podcasts , Spotify , YouTube Music , Amazon Music , Pocket Casts , RSS , or just type "Defense in Depth" into your favorite podcast app.
Join us TOMORROW, Friday [11-08-24], for "Hacking MFA"
Join us Friday, November 08, 2024 , for?“Hacking MFA: An hour of critical thinking about how threat actors circumvent this mainstay of authentication.”
It all begins at 1 PM ET/10 AM PT on Friday, November 08, 2024?with guests Jason Haddix , field CISO, Flare and Arvin Bansal , CISO, C&S Wholesale Grocers .?We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.
Thanks to our Super Cyber Friday sponsor, Flare
Cyber Security Headlines - Week in Review
Make sure you?register on YouTube ?to join the LIVE "Week In Review" this Friday for?Cyber?Security?Headlines?with?CISO Series?reporter Richard Stroffolino .?We do it this and every Friday at 3:30 PM ET/12:30 PM PT?for a short 20-minute discussion of the week's cyber news. Our guest will be Ken Athanasiou , CISO, VF Corporation . Thanks Vanta .
Thanks to our Cyber Security Headlines?sponsor, Vanta
Come see CISO Series Podcast LIVE at DataSec Conference in Dallas 11-14-24
The CISO Series Podcast is heading to TEXAS, for a live audience recording of our podcast at DataSec Conference 2024 . Joining me on stage for the recording will be Rinki Sethi , vp and CISO, BILL and Lamont Orange , field CISO, Cyera .
Here’s everything you need to know:
WHERE: Kimpton Pittman Hotel, 2551 Elm St, Dallas, TX 75226
WHEN: The event runs from November 13 through 14, 2024, but we’ll be closing out the show on November 14th, 2024.
This event is invitation-only for qualified CISOs, CIOs, CTOs, CDOs, cybersecurity VPs, Data Security Architects, and Data Privacy Leaders. Register to attend HERE .
HUGE thanks to our sponsor, Cyera
Jump in on these conversations
"How did you feel when you landed your first cybersecurity job vs. how do you feel now, assuming you’re still in?" (More here )
"How much in demand are certificates like the 'Google Professional Cloud Security Engineer' certifcate?"?(More here )
"Why not enable SSH?"?(More here )
Coming up in the weeks ahead?on?Super Cyber Friday?we have:
Save your spot and register for them all now!
Thank you for supporting CISO Series and all our programming
We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!
Everything is available at cisoseries.com .
Interested in sponsorship, contact me, David Spark .
Cybersecurity & Technology Trusted Advisor ? Operating Executive & Advisor
1 周Very engaging listen regarding the evolution of the CISO. This role needs to move beyond the technical management role to an executive leader. You can not have your cake and eat it too if the CISO will have this level of liability given what they are asking to attest to.
CEO & Co-founder at VISO TRUST | fmr CISO
1 周The VISO TRUST platform monitors 8K filings for material security incidents reported. Over the past 10 months the rate of filings is about 5 per month. At this rate about 1% of publicly traded companies per year.
Award-winning servant leader in security risk management with proven ability to mitigate risk, meet client & regulatory commitments while also maximizing efficiency, innovation, teamwork, and profitability.
1 周Let us also not forget existing myriad of existing US federal regulations (e.g., FRB Information Security Guidelines, HIPAA,) not to mention proposed legislation that may further ensure accountability of CEOs regarding the efficacy of cybersecurity programs (e.g., SOX type legislation) and in the EU under DORA. In other words, companies can either ensure they can demonstrate a "duty of care" and are "fit for purpose" or the regulators will enforce same at a much higher cost (direct/indirect financial losses).