Happy Sunday Friend!

Welcome back to another musing! I’m glad you’re here. Here are your Sunday Musings, a quick dose of what I’m exploring and thinking about. If you find it useful, please feel free to forward this along to friends!

New SEC Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Rules

I’m taking a moment off the Controls run for this one. I think it’s important.

The U.S. Securities and Exchange Commission just made final three large requirements for public companies regarding disclosures. After mulling over new data breach reporting rules for more than a year, these new rules go into effect 30 days from 26 July 2023.

1. First, to disclose material cybersecurity incidents within four days of discovery (in most cases).

2. Second, requiring companies to describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents.

3. Third, companies must now describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats.

I’ve been watching this one and I think it’s a good step in the right direction. I like that the rule holds the requirement to report to such a short timeline and focuses on the material impact rather than details of the attack itself for two reasons.

1. It gives us a principal-based approach. Companies have a variety of options articulate their risk-management approach, giving multiple candidates for best practices annually for future frameworks and framework updates. At the same time, it gives organizations the ability to run agile programs that can quickly adapt to changing threats.

2. It allows for quick reporting and information sharing without forcing poor analysis due to tight timelines. Material impact will be understood much sooner than all the details and facts about the incident. A first report to bring light (and potential support) to the incident will likely spur responses from governing and oversight bodies. This isn’t a bad thing. They’ll quickly let our organizations know how much more information will be necessary and how frequently the updates should come.

   More paperwork, yes, but also communication provides transparency and accountability. If we’re doing things right, it’s just business as usual and will also go a long way towards future business opportunities when we have demonstrable systems and processes in place for compliance.

Did the SEC just make the CISO’s life harder? Maybe. Did the SEC just give the board a pass on responsibility for cybersecurity? I don’t think so. Here’s why.

I am not a fan of prescriptive legislature in a free-market economy. The board cares about making money and being successful as an organization. Businesses with millions of dollars in fines and constant oversight inspections don’t continue to make more money.

Poorly lead organizations will likely adopt the CISO as the “Chief Incident Scapegoat Officer”. They’ll burn through CISOs and rack up fines; always having an excuse but never actually avoiding the punishments until they fix it or fail.

Good organizations will understand that the CISO is an increasingly more important role in politics, economics, and business operations. They’ll ask for advice and make decisions based on organizational risk management and tolerance.

Great organizations will do the same but begin to empower the “C” in CISO and start creating a seat (even if it’s along the wall to start) in the room to bring the key stakeholder and functionary into strategic decision making.

Did they, as Fractionals United’s CISO said, “ask a captain to navigate the desert, bearing all the blame for the heat, but without a say in choosing the path”? I don't disagree, but I don't agree. She has a point and I think it's a possibility; they didn't mandate a CISO or Cybersecurity expert on the board but they’re still holding the boards responsible with the three reporting requirements.

A boardroom lacking directors with cyber expertise is an indicator. Notably, many boards already add and disclose cyber experience and expertise. No senior executive worth a fraction of their salary is going to let a half-measured report go up and invite further scrutiny and fines.

It’s a step in the right direction. Is it perfect? No. Will organizations find loopholes? Absolutely. Hopefully one step of many on the journey.

Quote I’m Musing

“The purpose of today’s training is to defeat yesterday’s understanding.”

-Miyamoto Musashi

We are all leaders. You’re leading someone or many someone’s in some capacity, possibly without even knowing it (Don’t take my word for it, watch this video). An essential part of being a good leader is being a lifelong learner. School is always in session. We are never too old or too good at what we do. We can never arrive, never reach capacity, never culminate. Learning is a daily practice; wisdom is the endless pursuit. Because every day reveals new lessons, sometimes they’re reminders of previous lessons.

We can learn something from everyone we meet, every engagement is a new opportunity to hone and refine our understanding. It isn’t enough to have learned from school, a book, or history once and be grateful for our lessons. We must always look for opportunities to learn, even from the wrong, the flawed, and the evil. As Emerson said, everyone is better than us at something. And every moment is an opportunity to learn. We should focus on that, I think, most of all.

I would love your feedback!

Which musing is your favorite? What else do you want to see or what should I eliminate? Any other suggestions? Just send a tweet to @erichaupt on Twitter and put #SundayMusings at the end so I can find it. Or, eric@erichaupt.com for long form email.
​
Have a wonderful week, I’ll see you Sunday.
​-e