How Are New SEC Rules Impacting CISOs?
34:32 Share

We're seeing increasing regulations in legal responsibility lit E S, applying to ceos, but our ceos set up to succeed in meeting these within the organizations. And do regulators realized this?

You are listening to defense in depth.

Welcome to defense in depth minis David Spark, i'm the producer of the sea series and guess what? My cohoes he's here. His name is Steve saluki. Steve, say hello to the .

nice friendly audience. hello.

You'll hear that voice a lot more during this show, our sponge for today's episode, spy cloud. Thrilled to have spy club back on the sea series network act on what criminals know about your business. That's what spy cloud can do.

They know what the criminals know and they let you know so you can defend against IT. First, Steve, let's get to the topic at him. It's the S, C, C, and they are increasingly holding co s accountable. And that's freaking a lot of seo s out.

But does IT actually know how c SOS Operate in an organization? IT seems like the S C C doesn't realize how little many season s can do to fix materially systematic issues, argued mic lock card, whose the seas covered eagle view in a recent linked impose. So I ask you, steep, if regulators don't hold upstream leadership accountable, is the seas of being set up to fail?

I really like what mike did here, which was the fear of the unknown. We don't understand what we are being held accountable for. And so we're asking a lot of opening questions.

And I would argue right now and what we're going to talk about is the way the cc works, the only have certain ways that they can enforce to make changes. And they're working within the interview how they understand how to Operate. And in the case of this, they are kind of outside of their comfort zone as well. So you have both sides of the equation outside of their comfort zone, which is why we're asking a lot of open questions.

Well, to help us answer these questions as best as we can because we don't necessary ssl ily have all the answers, but we're going to do our best here. It's a gentleman. I did a live show with in nashville, tennessee.

Thrilled to have them on this show. IT is none other than the group see. So over a shell. Allen cockrel. Allen, thank you so much for joining us.

Happy to be here. Could I see a David, Steve pledge mature?

What are they doing wrong?

Ted hyman, whose the seo guru said, quote, the CEO is not superman. He does not have special powers, and he is only as good as the temi has in place around him. He has a limited budget, a shortage of talent, and has to contend with nation state actors that have nearly unlimited budgets, unlimited manpower and unlimited MIPS.

How can you hold to see so accountable when the company has been breached by a nation state? Holding secs accountable for a breach is ridiculous, unless there was true negligence. And JoNathan waldrop, who is the sees over at the weather community, said cope. The c is now demanding full transparency, and boards of publicly traded companies are now unnoticed to over communicate and can be difficult, though, in a public disclosure to provide enough detail to outline the risk without showing all of one's cards. Where's the baLance in how much info to disclose yeah this is kind of the thing that we've heard is like, come on this see so control all this you're asking something very unreasonable and also, what can they do here, Steve? So the first .

thing i'm going to say is the season roles evolving. We've talked about this. And so what I see here is as the role is evolving, it's going up and down, which this is becoming more important or less important depending upon what the executive team wants.

And so when I look at JoNathan's quote, right, the realization here is, hey, both sides are understanding we're having to go to change. We're not sure how to do this. We're really nervous that you're asking us to do something that we either don't know how to do or not empowered to do. And so now we're having what i'm hoping is going to be an intelligent discussion right between the industry players to figure this out.

And I mean, Allen, I mean, I mean, pretty much every company we speak with is the so isn't directly making public announcements. They are going through the communications department or they're just advising someone else who makes the more public announcements. So I mean, isn't the job of the season to be a risk advisor really in all these situations? Yes.

I think Steve nails is this role is influx. Cio s and co s have wanted to be elevated from a learning perspective for many, many years. And now the CEO is is now being elevated in terms of importance, in terms of visibility and in the U.

S. In terms of liability. And this one of those things, be careful what you wish for because you just might get IT.

And I like in the changes that are happening now, similar to cfs in the early two thousands, when you head and run. Now, did we go and have A A cyber version of socks? Probably not.

I think what was actually past as probably maybe under what IT could have bend in terms of holding the the board and a senior leadership accountable. But IT does elevate the risk of cybersecurity. IT does make sure that companies are held accountable to have a baseline expectation cyber security. And I think, as Steve mentioned, we're gonna to find our way to find the right baLance. I don't think we've seen the end of regulations, and I don't think the the current situations reflective of what the future will be like in the very in near future.

You know, I brought this someone in another show and most season s are turning to the two cases that we know of, one of tim Brown with solar wind and joe Sullivan with uber. And my feeling because things are always so unclear at the beginning. And and I think I think the parallel you said with around in socks with cfs is is very act. Do you feel that because things are unclear and either one of you jump on on this that they're just waiting for the co gini pigs and like tin je with the first of them, and we essentially learn from the first ginny pigs and nobody kind of knows who's going to be the first ones as d you're not in your head.

So other things we talk about is and the c will agree they're not experts. Ince, I were security, right? They're not. They don't have a set of experts, but what they can do right is if you lie and money is made, White collar crime, we can do something about that.

And they are applying that pattern to cyber s security now with tim Brown, because that is the way that they can enforce the laws of the speak in the min that we have this conversation around risk management. And so this is the case why I say what are they doing right versus what are they doing wrong, which is within their permission how they know how to prosecute. They're forcing the conversation .

for us to build on that. And I going to won't comment on the individual cases of those two gentleman when i've had interactions with the c and similar regulating agencies internationally. They want companies to do the right thing.

So they they will use the tools that they have within their arsenal to be able to achieve the outcome. And this outcome is elevating the risk of cyber security having an increasing standard of expectations for companies, more rigorous reporting and disclosure obligations. And you know, they're using the tools that they have to. That done, they may not be the best tools, but I I genuinely see them trying to do the right thing. And I do think they're going to have to be an adjustment and tuning as we work our way into this new reality.

Where is the solution? Fall short.

My pedrick of newspaper said cope, I am unclear on the motivations of the ecc. In this case, I appreciate the need for ethical behavior, especially in publicly traded organza, but being overly heavy handed with ceos does not in any way help the cause against external threat, rather the opposite, when good ceos find their way out of the industry in an abundance of cautious and self preservation and daming a galley of Leonardo D R S A cope.

This sets a tone for how the s cc views on address cyber risk and how they will prosecute IT. There will be a master acidities of ceos. Companies without ceos will lose investors, and then there will be a huge need for new ccs.

So actually, i'm glad that you made that last common island because this is all about how you view the issue or what's team you're on here. These people are obviously looking at IT. From the sea s viewpoint, it's unclear sensors are gone to leave because it's unclear they're fearing for their jobs.

But as you just said, like, hey, the S, C, C want to do a good job. They want us, everyone, to be ethical. They are just using the tools that they have current, lee.

So these people are just understandably fearful because, well, heck, they're not regulators themselves and they don't know what that job entails. What do you think? Well.

good. I like to keep things very simple, and I think the role this is so is going to get very difficult. There was a push to elevate the role of cyber and the the role in profile the sister. Again, as I mentioned earlier, be careful what you wish for. K, because because you just might get IT and persists that leave the industry again, you that's on their own judgments ment, however, I do see this role being very chAllenging.

And if I take a bigger step back and I look at what I perceive the sec and other regulatory agency trying to do in the us, IT comes down to try and keep the country safe, take a step into the role of collective defense. Because the reality is large. U.

S. And certain cases, and a lot of cases, actually, western corporate, are facing an unprecedented rise in nation state attacks. And in the reality is the U.

S. Government and the agencies need to be able understand how they elevate the the foundational cyber expectations. How do they control and identify ransom. More payments. So hence the reason having to pored grantham more payments. And then from a disclosure perspective, as an investor, it's important and to understand if there's been a material event in in the companies you're choosing to invest in. And if I picked the pieces of the regulations that I see, IT aligns to those general strategies to increase basic expectations to identify you when hyper events are are out there so we can raise the collective defence and collective security of western corporate and then last but not least, its accountability and companies to start to raise the bar on cyber.

Yeah I mean, look at taller responsibility but i'm onna. Get back to some of the original comments with you, Steve, here, which is what mike and damian said, which is we're going to lose seats because of this. I think that's an extreme fear.

I mean, sea s have been leaving just because they're exhausted with the stress of just the job. Forget the new aspect of the C. I mean, there's just a lot of stress for the job period.

yes. I mean, I don't think this is pushing anyone over the edge. What do you think.

Steve? I don't think you're gonna see a mass exist, but here's where it's worth. This effort fall flat, which is what they've done is forced a formalization of the definition of a season by giving them authority if you want to sign off on documents, that if they lie, they can go to jail. That's good. But we don't actually have as an industry that formalization of a CEO as a named executive officer or as the executive.

And so some of the consequences here being very practical as for a lot of seasons, right, they've been appointed or annointed for c so but now that this formalization exercise is gona go through, you actually going to see a lot of seas become directors of security because it'll be the CFO or will be chief legal council that will actually be assigned the seas or role if they have to sign off on documents. And IT will be a subset, tsi cells, that are also then brought up to the executive rates. So I see this actually is it's great that they're formalizing to see so role with the guards to accountability.

But we've got a lot to learn now to formalize what that looks like. Do you get certifications? How do you do that? And many companies, I think, are going to lower the CEO title in the organization and transfer that risk somewhere else.

Before I go any further, I do want to tell you about absolutely spectacular sponsoring that would be spy cloud. Now it's no surprise to our listening audience that given the concern news about high profile data breaches that the criminal underground is bombing, but the reality why the bombing is is the growth of stolen identity data. We're talking password session cookies and pii.

That is what is fueling the fire. And if you're relying on threat intelligence to understand the risk that you're stolen employee and customer data poses to your company's risk of cyber tax, we have news for you. It's not enough. What you really need is to understand exactly what criminals know about your users, the stolen identity data they're using to target your business right now.

So our friends over its spy cloud there, the leaders in cybercrime analytics and today's sponge, they know this information and they actually ARM your security team with the identity intelligence you need to act on stolen data and whether this was exposed in a breach, an info deal, infection or a fishing attack, their automated solutions to integrate with your favorite tools, see you act on the exact information criminals are using to target your business now, now without massive effort or overhead. And me, it's actually quite easy to use. Put an end to account, take over an enter session, hydrate king and even rain somewhere with spy cloud.

Now here's what you're gonna to do. You gonna want to get a report of your users. So this is tailor to you, your users, to expose identity data.

And you d need IT for free over its spy cloud dot com. I've seen IT and IT was totally worth the free. I can't stress that enough.

You will want to see this is going to scary a little bit. But trust me, that information will be extraordinary ily valuable to. So go to spy cloud doc comment IT spelt exactly the way that sounds. S, P, Y, cloud dot com. Go check that out.

What must the security leader be able to do?

Charles, hearing of a with food and cope CFO can't blame the C E, O for making knowingly fraudulent accounting disclosures, and either can the CEO on cyber disclosures. If the CFO reports to managment and they still publish fraud, he must reported to law enforcement. Cecil is no different for dictionary. Officers cannot defraud the government or shareholders.

Every corporate officer either is always mindful of staying far away from a wealth notice or is heading towards one that's a good live there, Jenny bake said, quote, in my experience with the c, sending in paperwork on the people who have specific job titles is a regulatory requirement, and the individual has to personally, the paperwork, the message for, see, so should be, if you cannot personally vouch for living inside best practices, when they ask you to sign, look for another job. I mean, I think both Charles and generation er put pretty clear here. It's like it's part of your job to report things as legitimate ways and as well as you know whether you're the c or or the C F O. Yes, I I I agree.

There would be one tweet to the the last comment that I would make. And I would say it's less in terms of Operating within best practices, but it's Operating within your company's control framework. I generally believe that large corporate should have some sort of control framework to, again, manage risk within the organization and in the cyber leader, the cro, the CS o depending on how it's articulated.

That complaint needs to make sure that what the report is is analytically accurate. So it's farer n baLanced. But then IT also reflects the companies is control structure and risk appetite. And I think first, cyber leaders and security leaders, if you do that, you lead with transparency, then I don't see you having much to worry about. So I think our industry, our experts need to be driving transparently in the organza and then stepping into risk partnership role in all of the kind of compliance tick boxing structure that some security and assurance organizations can find themselves in.

See, i'm going to ask question that's gonna you to sort of prophesies what do you think happened with the do you think it's just because cyber has rising so much as an important role, kind of like money is an important role. So the CFO, so they have to regulate how money is falling that cyberia m reach such an important world that they have to start putting the same pressures on ceos like they do cfs and ceos or i'm not going to say, saying, but somewhat similar, if you will, what do you think?

So we have a lot of policies that have been coming out of government internationally, all of which are saying, cybersecurity is very important. We gotta get Better at IT. Data privacy is important.

The problem is the policies that come out are enforceable. There are just best practices, so to speak. So for folks like the ftc and the S C C, right, those are more of the enforcing arms.

And so what you're doing is looking at those policies and figuring out how can I enforce them, what is my part in the security village, right, to improve our collective defense. And that's what they're doing and they're executing within, like we talked about the ways that they know how to do this. This is all good, right?

This is that part of that conversation now is, as a quote, season. If you really have a pretty brought band of experience, you understand being a sea so far, fortune five hundred, being a season for a SaaS company, being a season for a small medium enterprise are not all one in the same. There's a lot of variability in how that Cecil is perceived as well as how they want to execute their job.

And an example for that is, is my jo B2Build the mos t mat ured sec urity org anization I c an or is my job to hav e goo d eno ugh sec urity for thi s com pany to mak e pay roll for ano ther wee k? It's not either or, kay. It's and and that's now where we're having a lot of anche because secs that are working for us companies, right, that are cloud native applications that are trying to figure out what to do there versus a fortune two hundred, where they have a lot of legal and regular ory complaints and evidence of compliance and large teams.

They both quote, have a say so but the definition of success and what they can this basically report on and the maturity, this is where we're having this conversation around. It's not one size fits all. And that's where I am saying it's positive that a lot of people who don't understand cyber security are gonna help us and the industry understand all the variations of what I see. So is and where IT makes sense that they be elevated? Or will they be deprecated in the organization based on the organizations risk profile .

in the framework that they create? The Allen just talked about yeah and just sit.

And what's the framework? So the way I say this says is my job is a CEO to secure the company, is IT to protect the business or is IT to enable you to sell more genes? That simple statement, of which of those three are you being held accountable for? And how do you see the value percent value of what you do result in very different security posters and can result in very different outcomes. Yet all three of those are legitimate seco directives that we're trying to come to grips with you.

I I agree with that. You know, just just building on that is when you start to look outside of your corporate, one thing that actually makes me very nervous as the security of our supply chain, and that is our vendors, that the people that provide hardware, software, the companies that we do business with.

And that's why I think smart regulation, my personal view, where smart regulation and targeted enforcement makes a lot of sense because IT raises the collective expectation of cybersecurity and helps to get at improving the overall security posture of the Cosmos in which we work. And and that for me, this is one of the the big rests that I see this helping to at least narrow. They won't solve IT, but it'll narrow IT by, again, making sure that there's at least a basic expectation of what cybersecurity is like.

No one said that would be easy.

Brian becker of class four said, coat on one hand, tim of solar winds might not have had the support of his upstream leadership, and I hope he had a story in A C Y. A documentation he can bring to the table if he sign these documents and portrait false picture publicly under pressure from executives, he might have a case. If he doesn't, then fraud is fraud.

And I watch his case closely. On the other hand, no individual is on island, doesn't eeo IT takes a village. And there should be a heavy hand for not just a CEO, but everyone involved, sea level risk manage and especially the board of directories, clear lack of oversight and due care here by the management team.

I think the attitude is just dripping away the sea and only blaming him or her is I think would be misguided. And I feared what we've seen in these cases. And again, I don't know the full cases here.

I'll start with you, Steve. But IT looks like they're being stripped away. The only ones blamed.

I would say, when we went back to socks S O, ex, the finance thing, right, the value of a CFO change, because they became held accountable, legally accountable, right, for signing off on certain documents with the CEO. Again, what I think here is everybody's been saying, C O, C, O, C.

So is the acronym for the new cybersecurity executive that like your lawyer and like your CFO, now need to be that named executive responsible for cyber security risk. That's the good news. The bad news is the Cecil role really doesn't exist yet.

It's very dynamic. It's primarily technical still. It's migrating into a business role in the organizations and the policymakers all all now simply saying one other, we've agree that the CEO is the accountant party.

Everybody's kind of looking going, you know, that whole sea thing women talking about, not quite so clear, red is what we want and that the exercise were going through of the formalization of the CEO roll over the next three to five years. Or I wish to say more formalization over what IT is because it's been morphing. But nobody's cared up until now because while we might pay a fine nine if a gdpr, we've never been held accountable for a felony.

And this this exercise of visitor felony and IT goes to jail, right? Means that our ability to know where we fit in that is the exercise we're going through. And so I think, you know, always say, eventually common sense prevails.

Common sense will break out for small amounts of time, and then we go into a rationality again. And I would say we're at the beginning here of common senses gonna break out as IT goes through the court systems because a whole lot of people now we're really going to understand and what to see. So role is and you're going to see a lot of good things happened in the industry. But in the meantime, fear, uncertainty and doubt that cyber security has sold to our executives to be able to buy product is now being turned on us now.

And I don't want to tell me me specifics, but you mention, you know, you Operate under a framework. But I got to realized that part of this framework is that you have communications and you have legal people, and they listen to the new regulations in the new laws, and then they come back and advise you like, hey, guess what, Allen, this and this is happening. So we need this kind of reporting because our framework has to adapt for this. I mean, that just seems like like this is like nothing new in the sense of this is just how we do business.

And that's why I think is important to go back to basics in this case. And what's your risk objective? What's your control framework? What's your risk posture, Hardy, lead with analytics and drive transparency. Those expectations don't change. What I pick up from the from the question that you started the section with, David, is that I see this as just the natural evolution of this role as IT IT raises in in prominent and importance.

I spent most of my career as a cio, and if I would, to sign off on an attestation document or an end of your control posture or anything related to being a cio, I would and I knew I was negligent. I would expect to be held accountable. And I don't think that can be any different from from a cyber security leader being asked to to document and to sign off on their controls work as well.

So again, natural evolution, if that drives some CS out of the market, so be IT. If you're put into a position where your course or forced to sign something you know is not right, then you should actually be leaving because I think that in similar to a CFO post socks, you know that that can be a career limiting move. So again, I don't want people to be to be nervous or afraid or feel that to have to leave the industry. Just understand the expectations have increased and they'll be at parody with a cio or A C fo or A C E O that's making sure that we fairly accurately represent the posture of the organza. CFO has the financial posture, you'll have the security posture.

So alan, I wanted double tail on that. I had a conversation with a lawyer in the S. C.

C. SHE was in the c. And here is what he said to me.

SHE goes, Steve, the missed framework. I just learn this was a couple weeks ago. That is a framework, not a standard that's right.

And you can be held accountable to a framework. You can only be held accountable to a standard. Okay, so I go here's an example of we talk about the this framework.

I can't there's no standard there, right? Is what standard are you doing? Am I getting a sark two type two, and I going for hip and I going for federal? Its standards we have to talk about so that we can demonstrate right compliance to standard.

We don't have common standard yet. We have a set. yep. Yet here we are looking at frameworks.

And using the word frameworks is something that we need to be held accountable towards. I'm kind of curious, from your perspective, i've seen this economy framework verses standards. Where are you? Well.

so it's it's a new once answer. So if I look at the this frame or orange of the ISO frameworks or or similar frame, ks, we've known as an industry what we needed to do for quite some time. Those frameworks, the nest ice sounds, provide all the detail of how to run a well secured organization.

When I say control framework, mark, I mean, within the company that you're Operating in, how do you define your risk objectives, your control mappings, what good looks like, where your risk postures lie? And then how do you report and assure on those controls? So so when I say framework is very much from an internal company control framework and not a is a science or one of those external framework, which you're right are, are mainly best practices and and suggestions.

I think where the nuance of the answer and end up, as I do see what they call additional regulations, but those type of standards being codified, where there are a lot more clear on what good looks like. And that means you have to have a certain control posture. You have to have an example of that would be what we saw from the post colonial attacks in the department of energy.

They were very specific in what they are expected. They wanted Better identity and management. They wanted to have a they wanted what, I would argue, our security standards in the way you've contextualized IT as how you secure some critical infrastructure.

So I see something like that probably ending up more broadly, potentially health care industry. And with some of the recent attacks, I think they're probably going to see and increased expectations. And there was to be qualified standards and what the regulators would be looking to, to see as as basic cyber security posters.

That was excEllent. And by the way, this is the big sumac I have for today's episode is cybrids court is becoming more important. That's why there's more regulation around IT and that the role of the sea so has ever changed.

And so we got two things that are going or moving at the same time. And heck, it's not the first time there's a history of this. And by the way, regulations change over time, I guess what? So now the seasons are not want to in the cross here, but theos are being given more a prominent in the discussion than they've never had before, right? We come to the portion of the show, Allen, or ask you which quote was your favorite while so which quote was IT.

I think get a lot of great quote, David. The one that resonated with me was the quote from Charles around avoiding wells notices. I think that's great for self preservation as well as for longevity and career. So do the right thing, try to avoid the wealth's notices and understand up one's .

heading your direction. Steve, your favorite quote and what .

i'm going to take a sadly different land. And i'm exciting going to go with john athan waldstromer, the sea of the weather company, he said the the sec is now demanding full transparency, and boards of publicly traded companies are now unnoticed. Over communicate can be difficult, though, in a public disclosure to provide enough detail to outline the risk without showing all of one's cards.

Where's the baLance in how much is too much to disclose. And I think this gets back to the industry is the CEO role is mattering. We've been told over communicate now with our vulnerabilities and our exploit abilities, and we are see SOS are simply saying, but we can show you everything that there's no standard for where the line is like there is for socks controls by for finance.

And I think that's the underlying aims. Now this is a great way of us being told we're being given some direction, but we're being given direction without the way to be able to demonstrate evidence of that direction without giving too much away. And now we're having all these conversations as we're working through IT.

Very good. excEllent. Well, that brings us to the very end of the show.

Huge thanks to our sponsors that would be spy cloud. Thrilled to have them back on board again. I adore what they're doing over there.

And you should get that free report of your users exposed identity data. It's totally worth if to see, go to spy cloud dot com. I did IT.

You should do IT spy cloud dot com. Go check out out. I want to thank you. Steve is always thank you so much. And Allen, I always like to asked my guess, if they're hiring, are you hiring over show?

We're always looking for great cyber talent. So reach out to me on linked and great to have a chat also so many great practitioners in the cyber community.

awesome you to hear. And we will have a link to Allens linked in profile on this episode on our blog. We see so serious to com. As always to our audience, we greatly appreciate your contribution to end for listening to defense in depth.

We've reach the end of defense in depth, make sure to subscribe so you don't miss yet another hot topic and cyber security. This show thrives on your contributions. Please write a review, leave a common linked in or on our site, see so series dot com, where you also see plenty of ways to participate, including recording a question or a comment for the show. If you're interested in sponsoring the podcast, contact David Spark directly at David at CEO series dot com. Thank you for listening to defense in depth.