One CISO’s Answer to the “Materiality” Question Changes the Game for all of Us
Leigh McMullen
Keynote Speaker, Consigliere, Distinguished Industry Analyst and Gartner Fellow
Was talking with my new friend Wayman Cummings about the new SEC rules and I think one comment he made will radically change our industry.
"When you’re an $80 Billion dollar company the bar for materiality is actually pretty high.” - Wayman Cummings, Deputy CISO, Sysco.
?That’s a huge “Ah-Ha” moment and one that I think will ultimately change our profession for the better.
Today CISOs are playing a game whose only possible scores are zero or negative
It’s a defense only game. ?We can’t score points on our adversaries, so from the point of? view of our stakeholders, we’re either not getting hacked ?-- which puts no “points on the board” or we are being hacked, in which case we’re losing.
This ”zero tolerance” for failure mindset is one that my buddy Chris Mixter is tackling head on in next years security and risk keynote, and we should all be excited for what he has planned.
The SEC Rules aren't a 'gun to our heads', they're how we finally can put points on the board.
As much as it may feel like it, the new SEC rules aren’t threats to us.? Yes CISOs and executives are being held personally liable for cybersecurity failures, and that’s Scary, Andrew Walls and I are developing guidance for CISO’s on how to best mitigate that personal risk.
领英推荐
That being said, this new rule for “Materiality” actually does is give us a concrete goal –It’s how we can finally put points on the board and demonstrate INCONTROVERTABLE BUSINESS / MISSION VALUE.
The new game is this simple, it’s not about preventing every attack or hack, it’s ensuring that no breach rises to the level of “materiality”
THAT. ?That becomes our new mission.? And that’s one we can WIN.
?WHERE DO WE GO FROM HERE?
Regardless of if you’re regulated by the SEC, regardless of whether you have shareholders at all, the “materiality” bar changes the game for all of us. ??Our first steps ought to be a very clear definition of what constitutes “Materiality” in common threat scenarios. Andrew, Chris and I have research forth-coming on how you can use your existing business impact assessments and continuity plans to very quickly arrive at a definition for “materiality” for your most important value/mission chains / assets.
If you want more info on what Gartner is advising clients on the new SEC rules, my friend Lisa Neubauer is our point analyst on this issue, your client exec can set up a call.
The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.
CTO, SGNL and Corporate Board Member, OpenID Foundation
1 年Love this! We need to ensure that "one ten-minute phone conversation" from a hacker doesn't bring down a $34 billion organization. In addition to preventing breaches, we must also focus on mitigating the damage in the event a breach does occur.
CEO & Co-founder at Kovrr | Cyber Risk Quantification
1 年Well said, and I agree. Although it will be challenging, the SEC gave CISOs an opportunity to shift cybersecurity discussions up to the board and reshape the way these higher-level executives frame cyber. Collaborating with board members when defining material risk and basing the definition on quantitative thresholds allows CISOs to align their initiatives with the broader business strategy, ultimately demonstrating how security measures create value and drive resiliency. Finally, CISOs and the board will be speaking the same language.