Chief strategy officer with Sevco Security, security industry entrepreneur, board advisor, investor and author.
The Securities and Exchange Commission’s stringent new set of rules on cybersecurity reporting for publicly traded companies can be seen in two ways: as another regulatory burden on the shoulders of companies or as an essential step toward improving cybersecurity across the board.
In the short run, at least, it will likely be both. But in time, the benefits will outweigh any drawbacks. The SEC’s focus on cybersecurity metrics can blend with other financial reporting requirements to push companies toward a more complete security posture that involves asset intelligence and emphasizes material risk.
The rules will likely push companies to focus asset intelligence on evidence-based security data instead of simply taking inventory of devices and applications, leading them toward a continuous monitoring and improvement program.
They will also help companies get entire organizations involved in cybersecurity, encouraging a confluence of IT, security, compliance and legal in ways that will help everyone involved.
The Need For Deep Asset Intelligence
The potential for a blended approach to cybersecurity constructed on evidence-based data underscores many companies’ need for better asset intelligence. The recent cybersecurity attack on Clorox illustrates why. Clorox was among the first large companies to be breached when the SEC’s new rules took effect, requiring the company to report the attack via the SEC’s Form 8-K within four days.
Clorox complied, but the information it had on the impact of the attacks was limited, so it followed up with a series of a half-dozen more 8-K filings over the next month, each adding more details. Still, none revealed the full financial impact of the attack. Some cybersecurity experts expect that Clorox’s response will be typical for other companies because of the difficulty in determining an attack’s impact quickly. But partial reports can leave shareholders in the dark.
Comprehensive asset intelligence—including how those assets are managed, which have security controls, which may be end-of-life, and how they use data—can help better assess the impact of an attack.
The new rules can also push companies toward better asset intelligence by encouraging the use of evidence-based data and metrics to assess material risk.
The Path To Continuous Improvement
Companies collect a lot of security metrics that can be of dubious real value. Knowing you blocked 9,000 malware attacks in a month may sound good, but what if there were 9,008 such attempts? Thorough asset intelligence can help organizations concentrate on more real threats by focusing on operational controls and material risks. For example, an endpoint that lacks a security agent or an older, unpatched system can be just as dangerous as having a vulnerability listed on the common vulnerabilities and exposures (CVEs) list hiding inside a network. It’s not enough to inventory all your devices, applications and users; you must know if the security controls are present and working.
With their reporting requirements, the rules also encourage organizations to involve the leadership team and other departments, such as legal and compliance, to understand governance’s role in managing security better.
And, importantly, they push public companies toward the industry trend of proactive and continuous assessment, which involves not only constantly assessing where your security gaps are but mitigating them on an ongoing basis.
That approach is becoming required with many regulations, such as the Payment Card Industry Data Security Standard (PCI DSS). You have to patch vulnerabilities, but you also have to find new vulnerabilities and risk-rank them. PCI DSS is moving toward making companies prove that what they’re doing is working and that they are focusing on the most critical risks.
Moving Forward
Publicly traded companies are still getting used to the SEC’s new rules, which were adopted in July and formally took effect on September 5. Companies must report “material” cybersecurity incidents within four days, describing the incident and its impact, and they must file annual reports beginning in December.
Complying with these rules will be a challenge for companies that don’t have complete visibility into their assets, including the state of security controls on devices and applications throughout the enterprise. However, with asset intelligence that includes evidence-based data focusing on material risks, they can begin to weave together security and compliance, moving toward a continuous monitoring and improvement program that more efficiently secures the enterprise.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
Read the full article here