Cyber, SEC, and Billy Madison
I had a nice article written up about the government’s increasing interest in Cybersecurity, then the SEC had to up and indict the CISO of Solarwinds for fraud for his attestation to a cybersecurity standard which was not being followed.
When it comes to CISOs and security challenges today, the technical side of Cybersecurity remains business as usual. However, on the GRC side, we are witnessing an explosion of change akin to the Cambrian period. Pandora’s box has been opened, there’s no turning back. As a result, the role of CISOs has become significantly more challenging, both in terms of job responsibilities and job retention decisions.
I’ve come across a plethora of content that incorporates Taylor Swift songs, and unfortunately (or fortunately?), I do not classify myself as a Swiftie. However, embracing the spirit of it, I, as a Millennial, will present the top 5 ways I perceive the significant influence of these changes, somewhat linked to quotes from one of my favorite movies from my childhood, Billy Madison.
- “May God Have Mercy On Your Soul.” – The Principal
This message is intended for the Chief Information Security Officer (CISO). As a CISO, your responsibilities extend beyond overseeing company-wide risk management, compliance, and risk prevention. You may now also face potential personal liability. If you’re a CISO and not included in the D&O insurance program, it would be beneficial to discuss this matter with your supervisor or the board. Ideally, a public company CISO should have a robust risk management program that aligns with the board and the Legal team. It’s crucial to have strong support from the executive team to prioritize and fund the implementation of your program. Neglecting to do so may result in you being held responsible and obligated to defend yourself in the event of a significant lawsuit initiated by disgruntled shareholders… as your reputation and legal situation are at stake in the attestation.
- “What Does A Horseshoe Do? Are There Any Horse Socks? Is Anybody Listening To Me?” – Tour Guide
This quote perfectly encapsulates the sentiment that many CISOs and heads of Cybersecurity may experience during regular operations and quarterly or annual risk and budgetary meetings. With the government, particularly the SEC, placing a strong emphasis on transparency and implementing significant changes, boards and executives will swiftly recognize the importance of comprehending cybersecurity risks and integrating them into the 10-K report. The 10-K serves as a comprehensive annual review of the company’s financials and overall outlook, now necessitating the CISO’s endorsement on the cybersecurity outlook and risks. These new changes highlight the need for a more diligent examination of cybersecurity risk and transparency of the program to shareholders. The analogy of “horseshoes and horse socks” will now become widely recognized among investors. The “emperor’s clothes” are just a shade more…transparent.
- “Well, ‘Sorry’ Doesn’t Put The Triscuit Crackers In My Stomach, Now Does It, Carl?” – Eric
In the realm of SEC oversight and cybersecurity, a mere apology, a year of credit monitoring, and a slap on the back from a company after a data breach is now insufficient. It fails to undo the damage caused to investors’ trust or address the financial and personal losses suffered, especially if the company has attested to compliance or enforcement of a security program and found their program wanting. This quote effectively emphasizes the need for robust cybersecurity measures and the idea that accountability extends beyond the corporate world to include individual responsibility. In cases of breaches, the SEC goes beyond accepting corporate apologies and holds individuals, such as executives and security officers, accountable for their failure to protect sensitive information. This highlights a shift towards personal responsibility and underscores the serious consequences faced by those in leadership positions when it comes to cybersecurity lapses.
- “Judas Priest, Barbara, it’s one of those flaming bags again!” – Old Man Clemons
Previously, Billy and his friends enjoyed a joke at Old Man Clemons’ expense by setting fire to a bag of shit and leaving it on his porch for Clemons to stomp out. In the realm of enterprises, it is imperative to establish robust cybersecurity measures to thwart potential mishaps akin to what Old Man Clemons experienced. Companies must exercise caution to avoid falling prey to inadequate security practices or vulnerabilities that should not exist in a modern, framework-based, and enforced security program. Furthermore, in line with the SEC’s proposed changes, cybersecurity programs should be effectively communicated to investors, highlighting advancements and implemented measures. However, it is crucial to strike a delicate balance by providing sufficient clarity while maintaining a level of discretion to safeguard the company from potential hackers. When disclosing information in their 10-K reports, companies should navigate the fine line between transparency and the risk of over- or under-disclosure, thus evading scrutiny from the SEC or investors.
- “Back to school, back to school, to prove to dad that I’m not a fool.” – Billy Madison
In the end, just as Billy had to return to school to prove his capabilities to his father and take over the company, this quote emphasizes the importance of continuous education for board members and C-level executives. It highlights the need to stay informed about the ever-evolving landscape of cyber risk, governance, and compliance, making these skills an integral part of their core competencies. While we hope to never rely on external bodies like the SEC as our “dad,” the responsibility lies with companies, executives, and boards to demonstrate a genuine commitment to cybersecurity. Recent incidents involving SolarWinds and Uber serve as reminders that mere compliance is not enough. While cybersecurity need not become the sole focus of most companies, it should be given greater attention within their overall business strategies. Only time will reveal how the SEC will enforce their mandates, communicate their expectations, and impose penalties.
Conclusion
As we navigate the complex landscape of cybersecurity, Class IV stands ready to provide support, guidance, and expertise. Whether you require executive coaching to better understand the nuances of cyber risk, governance, and compliance, or you’re in need of outsourced or fractional CISO services, we are equipped with the tools and knowledge to help.
Reach out to us today, and let us help you demonstrate your commitment to safeguarding your business and stakeholders. Class IV – your trusted partner in cybersecurity (and IT and Data).
