RSA 2024 Preview: C-Suite Lessons on Compliance and the SEC Cybersecurity Rule
Enterprises are facing a heavy lift, thanks to a renewed emphasis on compliance. In the last of our RSA 2024 sneak peeks, Jim Mirochnik of Halock Security Labs discusses his upcoming conference session, the value of establishing acceptable risk, and the challenge of “governance 2.0.” Remember, lift from the legs....
Since the SEC’s new cybersecurity disclosure rules took effect last December, Hewlett-Packard, Microsoft, UnitedHealth Group, and other major publicly traded companies have made disclosures to comply – that is, they determined that certain incidents rose to the level of being material to a “reasonable investor,” having some material impact both quantitatively and qualitatively.
The new SEC rules stress the importance of detailing those impacts, call for clear accountability, and, as breach reports roll in, pull back the curtain on companies’ cybersecurity risk management processes and practices for all the world to see.
They’re a big part of the recent wave of increased scrutiny and regulation forcing companies to get their cyber governance buttoned up.
Enter Jim Mirochnik, senior partner and CEO of information security consultancy Halock Security Labs, who’ll be laying out strategies and guidance in his talk at next week’s RSA Conference, titled “Techniques to Evolve Risk Governance and Comply With SEC Cybersecurity Rule.”
He’ll discuss what “a clear line of acceptable risk” entails, how to define total known risk, and how organizations should form a road map to reduce cybersecurity risks to acceptable levels. (The session takes place Tuesday, May 7, at 4:15 p.m. ET / 1:15 p.m. PT at RSAC 2024, which runs May 6-9 at the Moscone Center in San Francisco.)
Focal Point spoke with Mirochnik to get a preview of his session and learn about best practices in cybersecurity risk governance and compliance.
(This interview has been edited for clarity and length.)
The rise of governance has forced a huge paradigm shift in cyber risk management practices. What are the key changes from the old way to the new way?
We’ve watched PCI DSS [the Payment Card Industry Data Security Standard, which protects credit card data] require increased governance. We’ve watched NIST CSF 2.0, [the National Institute of Standards and Technology’s revised cybersecurity framework], which came out in August of last year. We’ve seen this SEC cybersecurity rule now require increased governance. And so the question is, they’re all asking for more governance, but what does that mean? What are they really asking us to do?
The question is, they’re all asking for more governance, but what does that mean? What are they really asking us to do?
The way I’ll discuss it in my RSA session is, really what we did before was the old way, called governance 1.0. Now, we’re moving to a new requirement we’re calling governance 2.0. If we look at a simple paradigm of people, process, and technology, under 1.0, on the people side, there was no individual accountability. And people were informed in technical terms. In governance 2.0, they’re asking for clear accountability and ownership all the way to the board and to inform people in business terms.
We’re providing five things that can be done, and they are capabilities to establish legal defensibility, a clear line of acceptable risk, understanding your known risk, being able to provide a road map that shows how you’re getting to an acceptable level, and executive reporting. If you get these five capabilities down, your governance goes from 1.0 to 2.0.
We now provide not only what those things are but also templates that companies can use. Of course, they can see a demo of an application that does all these things out of the box, or they can utilize the templates for free.
What is the SEC Cybersecurity Rule and how will it affect organizations when it comes to compliance? Does it apply only to public companies?
The official name is the Cybersecurity Risk Management Strategy, Governance and Incidents Disclosure, and it applies to SEC disclosure reports for investors. It requires accountability, transparency, and communication with management, and the board of directors for public companies regarding their cybersecurity risks and incidents.
They require the organization to clearly articulate their strategy in sufficient detail for “a reasonable investor to understand.” They require management to be informed of risks and incidents. Your board of directors has to make decisions on investments and have oversight of risks and incidents. Well, guess what – for them to have oversight, they have to understand what you’re telling them. You cannot manage something you don’t understand. We’ve got a chronic problem in our industry where we have information security going to the board of directors trying to get approval and explain what’s happening. But they don’t speak the same languages.
[Read also: How CISOs can talk cyber risk so that CEOs and boards actually listen]
What are some tips for organizations on how to comply with the SEC Cybersecurity Rule?
Whether it’s the 8-K, 10-K, or 20-F forms, work with someone who can help you formulate your disclosure reports properly so that what you’re saying is accurately reflected in what you’re doing. Because when you put that out there, that’s a representation of how you’re running security.
Your board of directors has to… have oversight of risks and incidents. Well, guess what – for them to have oversight, they have to understand what you’re telling them.
The second step is to really embrace that the way you govern and manage security has to be done in a governance 2.0 sort of way, meaning security management isn’t a project: If what you do once a year is come up with a list of projects, let everyone go, and don’t look at it until next year, that’s not risk management. That’s not security governance. What you ought to be doing is own a risk register that sits in some database-driven application, and as things come in, as a pen test set of findings enter your world, those are prioritized. As incidents happen, those risks are prioritized. It’s a living process.
Running security as a process is governance. So if the risk register is continually being updated, remediation plans are updated, new risks are coming in that are displacing other risks and displacing your focus on those that are highest priority, and you’re doing that with the goal of getting risks to an acceptable level over time, a regulator/litigator will look at that and say, ‘You know what? A breach happened. Control wasn’t in place.’ Now, things aren’t supposed to be perfect. But the process is running the way it’s supposed to. They’re assessing harm to others.
How should organizations approach compliance with PCI DSS 4.0 and NIST 2.0?
I’ve been a PCI qualified security assessor for probably more than a decade. And the latest version of PCI DSS 4.0 continues to raise the bar. It [expects you to stick to certain timeframes for tasks but] essentially requires you to set your own cadence [based on your needs and environment]. It demands targeted risk analysis. They’re really saying the same thing that NIST is. NIST is saying we now have a [governance] function. And they have requirements within that module that talk about how the organization’s mission must be understood.
[Read also: Racing to deploy GenAI? Security starts with good governance]
So think about that. They’re saying information security has to understand the company’s mission — part of governance. They’re asking the information security manager for NIST to understand the risk appetite and tolerance, meaning, What’s your line of acceptable risk, above which you remediate, below which you accept. And they’re asking a standard method for calculating and prioritizing cybersecurity risks.
What type of a road map is necessary for organizations to reduce cybersecurity risk and manage compliance?
This is probably one of the most fascinating phenomena in our industry. I could never even list on two hands the number of clients that have said, ‘Help us figure out a road map.’ They say, ‘When we get in front of the board, we don’t know what to show them because we get back to the same problem of statistics.’
Work with someone who can help you formulate your disclosure reports properly so that what you’re saying is accurately reflected in what you’re doing.
CISOs want to talk in business terms, to make decisions. But when you show someone a two-year road map, that’s got to explain where you’re headed and why you’re headed there. We spent the last decade helping clients create road maps, and here’s what we’ve ascertained: that how you define the overall road map is not that different from the information [we] want when we get our yearly [physical]. We want to know, am I OK? And if I’m not OK, how do I get to OK? We’re not interested in a long list of all the percentages and statistics.
What we always encourage organizations to do is to confront those questions right out of the gate. “OK” means we have a line of acceptable risk. And that line of acceptable risk represents a quantitative score that organizations go through.
How will IT cybersecurity compliance evolve going forward?
First of all, our industry is chronically under-resourced. Rarely do you run into a CISO with a team of information security professionals saying they just don’t have a lot going on or they’re kind of stalled out right now. It’s always the opposite. So why is that happening? Because it’s very difficult to justify the resources you need when you’re speaking a different language from the people who are providing those resources.
[Read also: CISO success story – how to build trust with the board? Don’t talk cybersecurity (much)]
The other thing that’s happening is a large part of our world has not gone to a governance risk and compliance (GRC) application. They’re in spreadsheets or they don’t even have a risk register. Everyone knows that a GRC application could help them address automating that risk management process, but they are very well aware of the significant cost and the heavy lift to get into one.
We have authored an application called Reasonable Risk, which gives you significantly more power than most GRCs at a very light lift. I think that’s going to be a trend, a way to get out of spreadsheets and into running risk, because people are going to need to automate this process through a database-driven application, not through a spreadsheet and PDF files.
Another trend I see is the proliferation of the Duty of Care Risk Analysis [(DoCRA)] method or other methods like it that allow you to talk to the board and the leadership team in terms that they understand. A good analogy is, we all used to have a dictionary, a paper dictionary. Not very effective for a conversation, and then Google Translate came out, as well as other online translators. So now we can have almost a real-time conversation with someone in any language by just quickly translating.
And so one of the things I see happening in the future is cybersecurity is going to be able to have a conversation with the board because they will be speaking the same language instead of talking of threats, vulnerabilities, and impacts. And in doing so, we’ll be able to approve resources and just have a better relationship and have a seat at the table.
MORE FROM RSAC 2024
For additional highlights, check out these other exclusive interviews with participants speaking in and around RSA Conference 2024: