Last Updated on February 9, 2023
In March 2022, the SEC issued a proposed rule entitled Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure. It states the SEC’s intention to require disclosure from public companies on whether their boards have members with information security expertise, along with other details on their board’s oversight of cybersecurity risk.
Based on recent research from Proofpoint and MIT Sloan, addressing the proposed SEC requirements can happen organically, mainly by adjusting how CISOs and other operational leaders talk about information security with their boards. It’s about aligning planning conversations with the boardroom touchstones of “risk, resiliency, and reputation.”
Resiliency subsumes protection
Thinking about security in terms of resiliency versus just protection encompasses planning for disaster recovery and business continuity. Resilience also implies a best-practice approach enabling robust incident protection and detection. If you invest only in protective controls, you may not be managing risks associated with recovering the business after an attack.
Adjusting board attitudes
Proofpoint’s survey indicates that most board members believe that surviving a cyber-attack is a matter of “if not when.” And almost 75% of respondents consider information security a top priority.
At the same time, almost half the board members surveyed believe their firm is unprepared for a cyber-attack. (So why aren’t they driving to rectify this?) An overall takeaway from this research is that many boards aren’t fully aligned with their organizations’ information security priorities at the operational level.
To ensure adequate oversight and full compliance with the proposed SEC guidance, boards need to move beyond just hearing their CISOs present on strategy and tactics. Holding managers accountable for preparations that include both incident response and recovery is key.
Make a clear plan
No org can be 100% protected from all attacks. The goal should be to recover with minimal impacts to business operations, brand reputation, and the bottom line. This requires an actionable plan based on business strategy, financial analysis, and a deep awareness of the current security posture.
Some successful planning approaches companies have taken include:
- Hiring a third-party consultant to conduct a cybersecurity audit, as a starting point for dialoging with the board on “what-ifs” and understanding financial/risk tradeoffs
- Focusing on aligning information security with operational risk based on rigorous financial analytics to close the gap between potential cyber-attacks and business losses.
- Board members connecting with CISOs outside the boardroom to discuss cyber issues, share viewpoints, and just plain connect
Find a common language
In the words of Peter R. Gleason, CEO of the National Association of Corporate Directors, “We have heard from many directors the need to understand the financial exposure resulting from cyber-risk, going beyond the threat-focused, technical cyber presentations most boards receive.”
In other words, CISOs and other security professionals need to speak the senior leaders’ language of risk, resiliency, and reputation. Talking about security can be ambiguous when it comes to financial impacts and exposure. The odds of clear communication can improve dramatically with a well-considered approach.
Planning for resiliency, talking about security risk exposure in terms of financial impacts, and increasing the depth and frequency of conversations between management and boards will help companies prepare for the new SEC rules.
If your security planning discussions would benefit from expert, unbiased guidance on your security posture, compliance gaps, notable vulnerabilities, and/or best practices for addressing risks and achieving business goals, contact Pivot Point Security.