A CISO guide to navigating rules.
The U.S. Securities and Exchange Commission (SEC) recently proposed rules requiring companies to disclose cybersecurity incidents within four days if deemed material. While well-intentioned, this rigid deadline presents compliance challenges for chief information security officers (CISOs). As the requirements firm up, security leaders should proactively prepare response capabilities, offer pragmatic advice regarding risks, and turn mandates into opportunities.
Focus First on Incident Response Maturity
Once rules are finalized, some companies may be tempted to immediately devote resources toward meeting disclosure deadlines. But for CISOs, bolstering incident response capabilities (through tabletop exercises, purple teaming, and process review) should remain the priority. No amount of compliance process can make up for immature response mechanisms.
CISOs should double down on response preparedness by maximizing visibility into IT environments, data flows, and emerging threats. They should hone detection and hunting skills to rapidly identify intrusions or compromises and streamline playbooks and workflows so teams can efficiently assess impacts, contain threats, gather facts, and remediate.
Solidifying capabilities before layering on disclosure compliance processes is ideal. Mature response mechanisms will allow for more informed, measured disclosures even on accelerated timelines.
Provide Pragmatic Guidance on Potential Disclosure Risks
While CISOs understand the need for timely transparency, they must also advise business leaders on the potential downsides of overly hasty reporting.
For complex cyber incidents, an initial four-day assessment will likely lack full context. CISOs should caution executives that disclosures without proper perspective could mislead or confuse investors. False assurances based on underestimated impacts could damage credibility when full-scope consequences emerge later.
CISOs should advise leaders to take care when revealing specific vulnerabilities, security tools, or vendors impacted before defenses are bolstered. Such details could aid attackers with exploit replication. Additionally, CISOs should warn leaders against disclosing response tactics still in progress, which could tip off threat actors and compromise containment.
Aim for reasonable transparency that informs without inadvertently exposing attack surfaces or misleading via omission of still-undiscovered impacts.
Remain Flexible and Solution-Oriented
The proposed rules are strict as written, but CISOs should determine whether regulators are open to tweaks during finalization. For instance, allowing limited delays or updates as an understanding of an incident evolves.
Even if regulators are not open to tweaking, prepare contingency plans for amending disclosures by filing subsequent 8Ks and have plans ready to judiciously leverage the exceptions if reporting clearly hinders response or enables further harm.
More importantly, maintain a solution-oriented mindset when reviewing requirements. CISOs should avoid a check-box compliance mentality, and instead focus on developing programs to integrate orderly disclosure with response processes in a streamlined manner. They should leverage any external communications requirements as opportunities to build security awareness among customers, employees, and partners.
Turn Mandates into Opportunities
With careful planning, CISOs can turn regulatory mandates into opportunities to advance security initiatives and achieve strategic goals:
- Use required cyber risk assessments and reporting to build business cases and secure the budget for key security tools, services, and staff. Attach figures reflecting potential regulatory fines or legal liabilities to investment requests.
- Structure material incident reports to reinforce cyber safety messaging for partners and customers. Include guidance on protecting against related threats, available assistance services, and where to find status updates.
- Leverage vendor oversight requirements to rationalize the security landscape. Eliminate redundant products, negotiate improved contract terms, and consolidate vendors for simplified governance.
- Use regulators’ cyber focus to support security awareness training for employees. Stress how every employee plays a role in cyber resilience and reporting potential incidents.
- Divert some regulatory compliance resources toward automation initiatives that reduce administrative burden in the long term while enhancing threat visibility.
Prioritize Proactive Security Testing and Validation
With so much focus on incident response and disclosure requirements, CISOs cannot lose sight of proactively identifying and shoring up security vulnerabilities and weaknesses. Regulatory compliance and incident preparedness are crucial, but rigorous security testing and validation to find and fix gaps before exploitation remains imperative.
CISOs must continue advocating for adequate budget and resources for comprehensive penetration testing, red team exercises, attack surface analysis, and vulnerability scanning. They should leverage cyber threat intelligence to inform testing scenarios reflecting current attacker behaviors and techniques.
Prioritizing remediation on any critical findings from assessments based on potential business impact, while balancing short-term reactive work with sufficient time allocated to these proactive validation activities, is vital for reducing organizational risk.
By instilling a culture and program centered on continuous security testing and remediation, CISOs can satisfy regulatory obligations while fulfilling their ultimate mission – identifying and eliminating weaknesses that could lead to incidents and breaches before adversaries exploit them.
Compliance through capability building, pragmatism, and opportunism is wise – but it cannot distract from rigorously finding and fixing the enterprise’s security gaps. CISOs must stay focused on security assessments and validations as a key to prevention.