Why new compliance rules are changing the game for CISOs [Q&A]
The job of the CISO is becoming increasingly complex, with new rules around security and compliance, disclosure requirements following incidents, and more.
We spoke to John Morello, CTO of Gutsy, a company which was the first to apply process mining to security, to find out how things are changing and how CISOs should respond.
BN: What challenges will the SEC disclosure create for CISOs moving forward?
JM: The new cybersecurity disclosure rule mandated by the SEC poses significant challenges for CISOs as they navigate the evolving landscape of cybersecurity governance.
The four-day notice mandate imposed by the SEC makes timing attacks more potent and potentially lucrative for attackers. Attackers could exploit disclosure windows to profit from falling share prices or disrupt critical business operations.,
The accelerated incident response required within the four-day window may also expose organizations to additional attacks while ongoing incidents are being addressed. This increased vulnerability could strain security response teams and further complicate the remediation process.
Finally, the shift towards rapid incident response necessitates significant resources. Balancing transparency with security requirements will be crucial as organizations navigate the complexities of compliance and risk management in the digital age.
All of these challenges add pressure and complexity to the disclosure process, potentially leading to increased risks and costs for affected organizations.
BN: There have already been attempts to weaponize the SEC cybersecurity disclosure rule. What happened there and can we expect more of this?
JM: One notable example is the case of the ransomware group ALPHV/Blackcat leveraging the threat of regulatory action to pressure companies into paying ransom demands.
This tactic exploits the fear of hefty fines imposed by the SEC for non-disclosure of cyberattacks, adding another layer of complexity and risk to the cybersecurity landscape.
As organizations become more aware of the potential consequences of non-disclosure, we may see further attempts to weaponize the disclosure process. Ransomware groups and other malicious actors may exploit the fear of regulatory action to extort payments or disrupt business operations.
While it's difficult to predict the exact nature and frequency of attempts to weaponize disclosures, organizations should remain vigilant and take proactive measures to mitigate the risks associated with cyber threats and regulatory compliance. This includes implementing robust cybersecurity measures, fostering a culture of security awareness, developing and regularly testing an organization-wide response plan involving all stakeholders, and collaborating with industry partners and regulatory authorities to address emerging threats effectively.
BN: No CISO has the full picture of an attack in the first days. How will this work if, as we know, an attack could have consequences that extend months, sometimes years?
JM: The consequences of cybersecurity incidents are like a ‘living thing’ that can extend over weeks, months, or even years. The new SEC cybersecurity disclosure rule, which mandates disclosure of cyberattacks within four days, presents a significant challenge in this regard.
Addressing cyberattacks and their consequences requires a comprehensive understanding of the attack vector, the extent of the compromise, and the potential impact on business operations and data security. However, obtaining this level of insight within a four-day window is often unrealistic, especially for complex and sophisticated attacks.
As a result, organizations may struggle to comply with the mandated disclosure timeline while still fully understanding the scope and implications of the cyber incident. This could lead to incomplete or inaccurate disclosures, potentially exacerbating the situation and increasing the risk of further exploitation.
Organizations may need to adopt a more proactive and agile approach to incident response and disclosure. This could involve implementing advanced threat detection and response capabilities, enhancing collaboration and communication between security teams and other parts of the organization (such as legal, risk management, and communications), and working closely with external partners and regulatory authorities to share information and coordinate response efforts.
But while this mandate presents a challenge for, it also highlights the importance of preparedness, resilience, and collaboration in effectively managing cybersecurity incidents and mitigating their impact on business operations and data security.
BN: How will this entire phenomenon change the CISOs relationship to board and business?
JM: I see this as a massive opportunity for CISOs to exert their knowledge and sway which resources the business and board should invest in to ‘future-proof’ their security systems.
Already, at face value, the cybersecurity disclosures underscores the importance of cybersecurity as a strategic business priority.
By default, this will require CISOs to engage more closely with the board and business leaders to communicate both the potential impact and future mitigation of cyber threats to protect the organization's operations, finances, and reputation.
The increased visibility is an opportunity for CISOs to further educate the board and stakeholders on the importance of cyber. This could lead to greater support and investment over time.
BN: What is Gutsy and how can CISOs use it to help with these compliance headaches?
JM: Gutsy pioneered the application of process mining to security. The solution was designed from the ground-up to offer automatic, data-driven insights into the intricate workings of an organization's cybersecurity infrastructure, spanning its teams, tools, and processes.
We designed Gutsy with the understanding that organizations lacked insight into ROI behind their cyber solutions and processes.
And it’s not just built to give security teams this understanding, it provides the business side of the organization with the insight to understand efficiency and risk.
This is precisely why we think Gutsy can really help CISOs manage the SEC cybersecurity disclosure rule. We focus on three key pillars: improving outcomes, automating auditing, and deriving ROI.
We do this by providing insights into the dynamics between their teams, tools, and service providers, identifying areas of friction, streamlining processes, and ultimately reducing risk. By establishing key performance indicators (KPIs) across all security functions, Gutsy enables CISOs to automatically gauge performance and comprehend the reasons behind their achieved outcomes.
Secondly, auditing. Through automated data gathering on every process execution and correlation of activities across complex workflows, we elevate auditing from a mundane checkbox exercise to a profound understanding of risk evolution and persistence. This enhanced auditing capability aids CISOs in meeting regulatory requirements more effectively.
Last but not least, we assist in mitigating risks associated with strategic initiatives such as cloud migration, managed services adoption, and the implementation of new security tools. By providing comparative insights on operational changes, CISOs can measure return on investment (ROI), align investments with industry best practices, and adhere to regulatory standards.
Gutsy not only helps comply with regulatory mandates like the SEC cybersecurity disclosure rule but also enhance overall security outcomes for their organizations.
Photo credit: Den Rise / Shutterstock