The modern CISO's guide to navigating new SEC cyber regulations

The U.S. Securities and Exchange Commission (SEC) regulations requiring reporting of a material cybersecurity breach within four days have taken effect. As we progress through 2024, CISOs are going to face the harsh reality of needing to consistently demonstrate and attest to the fidelity of their cybersecurity program.

The outdated method of “buying every tool to protect every vulnerability” will simply fail. Without a clear vision of your threat exposure, security teams will be left feeling overwhelmed with the specific task of addressing known risks, often leading to a game of cybersecurity whack-a-mole -- addressing risk after risk with no real light at the end of the tunnel in sight.

How the CISO’s Job is Changing

Make no mistake about it -- the issue resulting in the need for this regulation is based on a collective industry mindset that is over two decades old. Indicator of Compromise (IOC)-based threat intelligence is simply not useful any more and the issue of needing to boil the ocean when it comes to reducing your threat exposure truly stems from an ignorance of who exactly is targeting these companies, how they are doing so, and where the threat actors are in relation to your defensive controls.

The SEC regulations require CISOs to have proactive planning thought out when it comes to defensive controls. In examining the threat environment holistically, CISOs are allowed access to knowledge of their adversaries on the forefront, giving them greater ability to thwart attacks, or at the very least, report breaches efficiently and effectively.

Sarbanes-Oxley and Whistleblower Protections

CISOs are often facing an internal challenge of multiple stakeholders with multiple opinions when it comes to reducing threat exposure. For example, a CISO could express concern when it comes to a specific area of defensive tooling, but the IT department could completely disagree and refuse to apply the recommended changes, resulting in a breach. What happens then? Is the CISO then held accountable for effectively doing their job?

The Sarbanes-Oxley Act, passed by the Congress of the United States in 2002, extends whistleblower protections to the employees of a publicly traded company that notify the SEC of a violation of any rule or regulation set forth by the SEC. While this applies to the cybersecurity breach reporting regulations, many concerns remain when it comes to reporting for the CISO.

Whistleblower status is the very definition of being stuck between a rock and a hard place for CISOs. Being thrown into the hot seat, even when the CISO has done everything correctly, is a very unenviable position, leaving CISOs with the most consequential decision of their careers: Do you risk getting sued by the SEC? Or do you pull the proverbial fire alarm on your own employer under legal whistleblower protection and risk employment termination?

The Sarbanes-Oxley Act is simply not the safety net that CISOs need. With no assurances regarding employment status, CISOs can be faced with two horrible options regarding their career path, even when they have handled their personal responsibilities within their job description.

Building a Well-Reasoned and Defendable Cybersecurity Program

The most straight-forward, yet most daunting task for CISOs to avoid negative repercussions of the SEC regulations is to build a well-reasoned and defendable cybersecurity program that consists of four key elements: Defining Material Risk, Identifying Threats, Assessing Threats, and Managing Threats:

• Determine what is material: The cybersecurity industry has yet to define “Material Risk,” but the SEC has provided rough guidelines in the charges against SolarWinds. Instead of getting hung up on the definition of material, consider replacing this determination with the demonstration of the tangible impact of a breach on organizational networks. The modern CISO must be able to demonstrate, with certainty, the extent to which the organization and individuals were impacted.
• Identifying threats: The modern CISO must also possess the ability to build and maintain a continuously updated threat model of the organization, including size, geography, infrastructure, type of data being protected, and critical assets. From there, the CISO will be able to define the most likely threat actors targeting their organization. They will then need to identify and prioritize organizational vulnerabilities. Gone are the days of a “first in, first out” method of patching prioritization based on a CVSS score. Make no mistake, only 2-7 percent of exploited vulnerabilities are actually targeted by threat actors, according to the Forum of Incident and Response Teams (FIRST). The responsibility, now more than ever, falls on the CISO to shore up where the adversary will most likely target the organization.
• Assessing the threat: It is clear that the SEC believes that threat is integral to risk, leading the CISO to a defined set of threats versus assessing defenses against basic risk scores. The modern CISO should look to CISA for Tier I threat information, the NSA and US Cyber Command for Tier II, large scale commercial threat intelligence companies for Tier III, and lastly, single source intelligence providers for Tier IV.
• Managing threats and vulnerabilities: Managing your threats and vulnerabilities is dependent on mapping relative security controls to the adversary, their TTPs, and their targets. Think of this as the “who, how, and where” of your security program. The organization must have the proper visibility and detection logic in place. Relying on the word of a third-party vendor that their product satisfies current regulations in place is simply not good enough and does not protect the CISO from indemnification. To effectively manage threats and vulnerabilities, CISOs should maintain a real-time feed of the security environment with a heavy focus on security entropy or “environmental drift.”

The bottom line is adopting aggressive changes such as the ones set forth by the SEC certainly will remain a challenge, but forcing progressive changes, such as leveraging TTP-based threat intelligence, gaining a holistic view of threat environments, and proactive planning of cybersecurity programs will take aim at bettering the cybersecurity industry as a whole for years to come.

Patrick “Pat” Arvidson is Chief Strategist/Evangelist, Interpres Security.

Photo credit: Den Rise / Shutterstock