The new SEC cybersecurity rules shouldn't change anything
They are meant for ineffective CISOs.
Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.
There’s been a lot of talk about the new SEC rules around incident, risk, and governance disclosure for public companies. Many security professionals are excited about it and have written posts on what it means for CISOs. Although I believe having more explicit cybersecurity regulations is important for the community, I also believe that the community’s excitement around it reveals a more fundamental problem: namely CISOs have lost control.
Despite that, nothing should fundamentally change about security programs, assuming they were focusing on the correct issues in the first place. However, these rules will reveal ineffective CISOs.
Why are these new rules good?
Regulations typically emerge because people haven’t been following the rules. Although there are other laws, such as HIPAA, that if properly followed, nothing should change for these CISOs with this new regulation since those laws are stricter. However, many CISOs haven’t been managing risk properly. It’s honestly not surprising given the changing technology landscape has shifted the risks into areas where CISOs are now out of their league. (I’ve advocated that CISO turnover is good for the community in the past.)
The introduction of these rules reveals a new dimension to cybersecurity. In the past, cybersecurity has been seen as an operationally focused organization akin to IT and legal. It’s an organization that’s hard to scale and the risks are hard to measure. Many CISOs have taken it upon themselves to create better metrics to show the effectiveness of their organization on why they should have more resources and on how they deliver value. Unfortunately, it’s always been a bit nebulous, and many executive teams have filed it away as an operational organization that could be reduced or even cut in tough times. In other words, security leaders have spent too much time using FUD (fear, uncertainty, and doubt) to demand resources rather than focusing on business value. With this new regulation, the SEC has implied that cybersecurity risk and business risk are inextricably tied.
As security leaders, it does validate that there is a serious business risk to bad cybersecurity practices, but it also shows that on the other side, we might need to take some risks for the business. The most important part is that there is a leader that properly understands and manages these risks. These rules force the executive team to think about what kind of risk cybersecurity is for their particular organization, and what they ultimately decide affects organizational design. For example, it forces questions such as:
Should cybersecurity be under the CTO? If it is, it’s perceived as a technological risk.
How about the CFO? Then, it’s perceived more similarly to financial risk.
Maybe the COO? In this case, it’s perceived as an operational risk.
Maybe, it should be its own organization?
It’s important to define who manages this and inform shareholders so that they can better understand the types of risks that a company is taking and where they believe cybersecurity risks lie so that they can make an informed decision.
Why is the excitement around these rules bad?
It’s a bit disappointing that the community is celebrating these rules and making it seem like “progress.” As I stated above, rules exist because basic standards are not being followed. In my opinion, a big reason for this is that CISOs have been losing influence with the executive team. They have been too prescriptive on what needs to be done rather than influencing and navigating organizations like every other executive.
For example, as part of the tech layoffs, Patreon let go of its whole security team. This has previously been unheard of. Many blamed the Patreon executive, but some have also blamed the security leaders. Although we don’t know what exactly happened, it’s clear that the executive team lost confidence in the security team and doubted its effectiveness. Whether that decision/judgment was right or wrong is not the point. The point is that the security leaders had trouble communicating their value to the board and other executives.
What’s disappointing about these SEC rules is that it’s another tool for CISOs to prescribe what should be done at a company rather than focusing on problem-solving and doing what’s best for the business. In other words, many times, security leaders hide behind compliance and regulations to force results rather than having to do what other executives do — influencing and selling the value of their organization by demonstrating positive business value. If executives can’t trust the security organization, how can customers trust it?
Of course, there are companies where the executives don’t believe in cybersecurity risk and want to minimize spending. It’s hard to convince those executives to spend more, but I do believe that cybersecurity considerations are becoming a larger component of trust in a product and company. Over time, the markets will become competitive, and strong cybersecurity practices will become an important differentiator. This can happen without additional regulations.
Advancing security maturity
For those who already have strong processes to manage and communicate risk, these rules shouldn’t be too much additional work. If they are, companies should take a serious look at their security leadership and decide whether he/she is the right leader. It’s likely they have focused too much on taking shortcuts for compliance rather than building the necessary components to have a successful security program.
For others, although this is more work, it will advance the security maturity of the company in a standardized way. Unfortunately, there will be more processes, but none of them seem unreasonable.
Takeaway
Regulations are a double-edged sword. They are good for creating standardization and bringing attention to issues. However, they tend to only appear when the government believes that certain best practices are not being followed. Either way, this regulation can help mature security organizations and policies. With more regulations, I worry security will use it as a forcing function rather than figuring out ways to demonstrate the value of their organization.