The recently adopted cybersecurity rules by the Securities and Exchange Commission (SEC) are just the most recent increase in regulatory demands for corporate responsibility and transparency around cybersecurity. The rules demand that publicly traded companies disclose significant cybersecurity breaches within four days but also provide an annual report detailing their risk management and executive expertise in cybersecurity.
These new regulations reinforce a crucial tenet that we at the SANS Institute have long embraced: effective cybersecurity starts with skilled people first.
These new regulations reinforce a crucial tenet that we at the SANS Institute have long embraced: Effective cybersecurity starts with skilled people first. That skilled staff can architect and implement comprehensive and resilient security processes and choose the best technology to ensure effective defense and efficient use of scarce corporate resources. Understanding and managing cybersecurity risk requires a comprehensive approach, blending technological defenses with skilled personnel and knowledgeable leadership.
The new rules require public companies to disclose management and the board's role in assessing and managing cybersecurity risk, including their expertise in this field. The SEC declined to define what constitutes sufficient expertise – that is considered to be part of management’s responsibility. However, it is clear from previous regulatory responses that knowledge of changing threat environments, as well as the risks of new technologies, combined with operational experience and training within cybersecurity, is required.
All SEC regulations are intended to make sure publicly traded companies are transparent and honest about any risks to shareholders, and then auditors verify that a company’s actions match its claims in filings. In cybersecurity, the financial world has seen that insufficient attention to cybersecurity is often the cause of the most financially damaging attacks, and the updated regulations are intended to make sure sufficient expertise exists and is maintained at publicly traded companies to manage that risk effectively.
The regulations apply to all corporate management, not just oversight by the Board: “Describe management’s role in assessing and managing material risks from cybersecurity threats.”
The CEO, CFO, CIO, COO, Chief Legal Counsel, and not just the CISO, all play key roles in effective cybersecurity risk management. Other roles, such as Software Architect, Security Operations Center Manager, Security Architect, etc., have key responsibilities for assessing and mitigating risks. All of these roles need to be aware of changing threats, the risks of increasingly complex supply chains, and what impact new technologies such as AI will bring.
At the SANS Institute, we have seen the impact of comprehensive training that builds the competencies necessary for effective security processes to deliver breach detection and defense and to communicate cybersecurity risk effectively to gain the support of corporate management. This requires immersive, practical education delivered by seasoned professionals who continually confront cybersecurity challenges that grow more sophisticated every day.
SANS is immensely proud of the legacy of real-world, practitioner-level expertise that we have cultivated over the years. We're dedicated to sharing our knowledge and enhancing cybersecurity understanding across all roles in an organization. This effort significantly reduces overall cybersecurity risks and streamlines compliance with the new cybersecurity regulations.