2nd Edition

Tracking the trends and news for IT and IT Security

Paul Davis

The CISO and the SEC: Navigating the complex role of the CISO under SEC disclosure rules

The CISO and the SEC: Navigating the complex role of the CISO under SEC disclosure rules>
Beta News – Petri Kuivala
The author of this passage is reflecting on their experience as a security leader and their observations regarding the relationship between CEOs and Chief Information Security Officers (CISOs), particularly in relation to breach disclosure.
They discuss the recent developments involving the SEC and SolarWinds, which they believe is a regulatory game-changer for the CISO community.
The author emphasizes the importance of ethical behavior and highlights two clear principles for CISOs: speaking truth to power and taking timely action with integrity.
The author shares a personal experience leading the response to a major breach and highlights the challenges faced by CISOs, including being blamed and fired for breaches in some cultures.
They believe that these dynamics are changing and that CISOs should no longer be pushed aside or ignored by the C-suite.
The passage mentions the absence of centralized monitoring systems and forensic experts as portrayed in movies, and describes the ethical dilemma faced by CISOs when deciding to act or look away in response to a breach.
The misalignment of goals and incentives between the C-suite and information security is discussed, drawing parallels to the pre-Enron era.
The author expresses concern that the SEC ruling might lead companies to bury breaches more deeply and calls for deep conversations among CxOs and relevant stakeholders about their approach to cybersecurity.
The author advises taking a risk-based approach to cybersecurity, focusing on the most significant risks and allocating resources accordingly.
They suggest that the Board of Directors should ask important questions about prevention, detection, multi-factor authentication, system vulnerability fixing processes, and the security of Tier 0 services.
The passage concludes by emphasizing the importance of maintaining integrity throughout the intricate process of navigating breaches and disclosure.
The author suggests that if one finds themselves terminated for doing the right thing, it indicates a problematic company culture and that the individual will ultimately come out ahead, as being temporarily unemployed is preferable to unethical behavior.
Link: https://betanews.com/2023/11/12/the-ciso-and-the-sec-navigating-the-complex-role-of-the-ciso-under-sec-disclosure-rules/

Categories:

Tags: