With the SEC’s recent implementation of rules requiring the disclosure of cybersecurity incidents and the charging of a software company and its CISO for fraud and control failures, companies must respond and comply with these new regulations. Karen Worstell of Carbon Black offers four ways for security teams to effectively address the SEC’s new cybersecurity rules:
- Elevate cybersecurity risk management to a CxO business function
- Set aggressive metrics for cybersecurity improvement
- Commit to more transparency
- Take a holistic and business-centric approach
Worstell emphasizes that CISOs must empower themselves as consultants and risk mitigators, driving increased involvement and responsibility for cybersecurity within their organizations. This requires elevating cybersecurity risk management to a C-suite executive level and making it a top-level priority. Setting aggressive metrics for improvement can help prioritize and improve cybersecurity efforts.
Transparency is also crucial, with the SEC sending a clear message that unreported breaches can lead to legal, financial, and reputational risks. CISOs should ensure transparent and detailed reporting in key documents, creating awareness about threat trends within their organization and across industries. Finally, CISOs must shift their mindset from an incident-centric approach to a business-centric one, focusing on a highly defensive posture that aims to minimize risk throughout the organization.
The SEC’s new rules and charges against SolarWinds Corporation highlight the need for a systematic change in how companies approach cybersecurity. By adopting these strategies and treating cybersecurity as a well-managed business function, organizations can effectively comply with the SEC’s regulations and reduce harm from cybercriminals.