If it seems like cyberattacks are escalating and security breaches are becoming more common, it’s not your imagination. The hyper-connected nature of our world, the growing use of cloud applications and the fact that data now resides anywhere are all contributing factors to the ubiquity of cyberattacks. Threat actors now have more ways than ever before to commit cybercrime, and the advent of AI has significantly contributed to the growth of these methods, such as phishing, by lowering the barriers to entry for criminals.
This dynamic is causing a sea change in how cyber is viewed by CXOs and the board—in some ways elevating it to a top priority. In my last article, I covered the criticality of properly assessing cyber risk and what CXOs, board members and security leaders can do to protect their organizations and how the new SEC rules on cybersecurity are placing an even larger onus on board members to be well-versed on the topic.
Given the broad implications of the new SEC regulations, I thought it would be helpful to cover the topic in greater depth, especially within the context of what it now means to CXOs and board members and how they can adapt accordingly.
New SEC Rules Shine A Spotlight On Cyber
In July 2023, the SEC instituted a set of new rules for cyber risk management, cyber governance and cyber incident reporting designed to give investors a better understanding of the increasing impact of cyber incidents on public companies. The new rules aim to ensure consistent and decision-useful disclosures regarding an organization’s exposure to cybersecurity risks and incidents. Per the ruling, beginning December 15, 2023, the SEC will:
- Require current reporting about material cybersecurity incidents on Form 8-K;
- Require periodic disclosures regarding, among other things:
- A registrant’s policies and procedures to identify and manage cybersecurity risks;
- Management’s role in implementing cybersecurity policies and procedures;
- Board of directors’ cybersecurity expertise, if any, and its oversight of cybersecurity risk; and
- Updates about previously reported material cybersecurity incidents.
- Because board oversight plays such a major role in the annual 10-K reporting process, board members and CXOs are naturally concerned about the implications of these new rules.
Beyond Disclosure: New SEC Rules Require Shifts In Organizational Communication
Prior to the SEC ruling, cyber was already becoming a bigger priority in the boardroom, though this new development has certainly heightened its visibility. Now, board members and CXOs must not only be aware and knowledgeable on cyber, but they must be able to understand the potential business impacts of a cyber breach, all within the context of managing cyber risk.
This requires security leaders and IT practitioners to have the ability to readily convey this information in a way that boards will understand, necessitating the need to translate and interpret technical terms and situational nuances in a way that resonates with a business audience.
Rather than addressing a question like, “What technologies will be most effective in preventing a cyber breach?” security leaders should tune their talk track to highlight concepts and terminology that will bring clarity and understanding to this audience. Based on numerous conversations with board members and CXOs, I’ve found that the most effective way to explain cyber risk principles is to discuss them using the following terms:
- Attack surface – Anything that can be reached by an adversary, such as a VPN or external firewall.
- Risk of compromise – What’s the likelihood that an adversary will take advantage of this vulnerability?
- Lateral movement – The ability for an adversary to move laterally within the environment to find sensitive data.
- Data loss – Once data is found, what are the chances of it being stolen?
Using these clear and definable terms facilitates discussion and understanding, ensuring that everyone is on the same page, which in turn leads to collective agreement on a security strategy for the entire organization.
Tackling Cyber Risk
Once an understanding of cyber principles and priorities has been agreed upon, the conversation may progress into a discussion about how to mitigate cyber risk. Considerations at this stage in the conversation include:
- What are our potential threats and vulnerabilities?
- How do we protect against and detect cyber threats?
- What is our incident response plan?
To implement a comprehensive cybersecurity strategy that is effective in managing cyber risk, organizations must look at the situation holistically and consider introducing modern architectures, like Zero Trust, which can help to greatly minimize advancing cyber risk. Because Zero Trust security is built on the principle that no user, device or application is inherently trusted, it verifies all access requests using a set of business policies based on contextual data and credentials to prevent unauthorized access. Zero Trust architecture is the opposite of firewalls and VPN-based security—legacy technologies that should be phased out as they give enterprises a false sense of security. There are additional benefits of implementing a Zero Trust architecture approach, which I will elaborate on in a subsequent article.
While these SEC rules certainly place much more responsibility on CXOs and board members to manage cyber risk, the fact that these rules are intended to enhance transparency for investors is a move in the right direction. As cyber threats continue to escalate, become more frequent and expand in scope, greater SEC oversight demonstrates the severity and seriousness of the havoc that cyberattacks can unleash. The more cyber education and awareness we can generate, the better—it can only lead to a greater understanding and a universal awareness of the cyber threats that exist and, hopefully, new ways to stop them.
Fuente: Forbes