August 31, 2022

Understanding SEC’s Proposal for Cyber Risk Management with Yaron Levi

by Cyber Ranch

Show Notes

Yaron Levi, current CISO at Dolby and former CISO at Blue Cross Blue Shield in Kansas City, comes down to the Ranch to talk about the March 2022 proposal from Securities and Exchange Commission (SEC). Titled the Cybersecurity Risk Management Strategy: Governance and Incident Disclosure, this report has huge implications for cybersecurity in any publicly-traded company. Yaron walks through his research into this report and explains what this means in the future for real-world cyber practitioners.

 

Timecoded Guide:

[00:00] Introducing the Cybersecurity Risk Management Strategy: Governance and Incident Disclosure

[08:45] Explaining filing 8-Ks and 4-day turnaround disclosures

[14:03] Debating the obligations of a third party in an incident (i.e. supply chain)

[16:04] Comparing SEC’s cyber proposal to accounting’s GAAPs

[25:33] Involving the Board of Directors in cyber risk management 

 

Sponsor Links:

Thank you to our sponsor Axonius for bringing this episode to life!

Manual asset inventory just doesn't cut it anymore. That's where Axonious comes in. Take control of security complexities by uncovering gaps in your organization. Sign up for a free walk through of the platform at Axonius.com/Get-A-Tour

 

This is a proposed set of amendments and not a ruling. What does that mean, in terms of the real world?

Although the proposal was initially released in March 2022, Yaron explains these current rulings have been floating around the industry since 2018 and aren’t expected to become solidified until October 2022. In the meantime, many in the industry are curious about what these regulations mean for any and all cyber practitioners. Yaron understands the concerns many have, but also emphasizes that this is a maturity progression for the cyber industry.

“With everything happening around us over the last several years, we see security becoming a higher priority and a higher maturity in many organizations. By and large, organizations understand that security is not a luxury anymore, or something that doesn't apply to them.”

 

Is this proposal starting to put some real pressure on organizations to not just give lip service to cybersecurity?

Lip service to cyber is an unfortunate commonality among publicly traded companies that want to look safe without putting the effort or expertise into security. Thankfully, Yaron believes this SEC proposal will accomplish a great deal in encouraging companies to develop and mature their cybersecurity teams and protocols. As cyber management roles and board integration becomes a must, lip service will give way to real strategic change and a better understanding of the impacts and implications of security.

“I think, as we mature as an industry, and as we more and more understand the implications and the impacts of security on everything we do, strategy is something that will be very important for us to have. I would assume that every company will need to have one.”

 

Is this the right time for people to be excited about if there's gonna be a lot more CISO jobs open up, or if there's gonna be more board seats opening up for CISOs?

Yaron believes this SEC proposal will elevate processes and initiatives already in place to continue to elevate the expertise and opportunities within cyber. While many may see an increase in CISO roles and board opportunities, it's important to note that it is not just about roles and jobs, it’s about cyber’s maturity. Our community, not just in cybersecurity but throughout the world, has become dependent on technology and its vital to have individuals leading with maturity and competence to keep these technical processes secure. 

“Overall, I think these strategies are a really positive move, in terms of elevating the conversation, educating, providing more expertise, providing more knowledge, which ultimately, all of us will benefit from. All of us, and community and society in general.”

 

Do you have any closing thoughts or comments on this SEC proposal?

While Yaron breaks down individual elements of the Securities and Exchange Commission proposal with Allan, he understands that the most essential impact of the proposal is the potential it has to elevate the industry. Maturity and legitimacy is desperately needed in order to create cybersecurity’s own version of generally accepted practices. In the same way that accounting has GAAP, Yaron hopes this SEC proposal is a sign of the cyber industry growing up, coming into its own, and creating more secure processes in risk assessment. 

“These proposals are part of our maturity progression and are part of our growing up as an industry and as a practice. This is something that we have to evolve into. We can probably look at other industries and figure out what we can learn and leverage from them.”

-------------

Links:

Keep up with Yaron Levi on Twitter and LinkedIn

Follow Allan Alford on LinkedIn and Twitter

Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store 

Continue this conversation on our Discord

Listen to more from the Hacker Valley Studio and The Cyber Ranch Podcast



Transcript

Yaron 00:00
This is something that is part of our maturity progression and is part of our growing up as an industry and as a practice, this is something that we have to evolve into. We are not special in that regard. We are not different. We can probably look at other industries or other professions or other functions that went through the process and figured out what we can learn and leverage from that.
Allan 00:20
Howdy, y'all, and welcome to the Cyber Ranch podcast. That's Yaron Levi, CISO at Dolby, former CISO at a well-known healthcare insurance company, an investor and advisor and an all around veteran of the industry. We're talking today about the Securities and Exchange Commission, the SEC, and its March 2022 proposed amendments to enhance and standardize disclosures related to cybersecurity for publicly traded companies in the US. The proposal is called the Cybersecurity Risk Management Strategy, Governance and Incident Disclosure. This is a big deal, because it's not just about disclosure, but also about the management and governance of cybersecurity risk and incidents, and they even talk about roles and responsibilities. So, there are a lot of direct implications at the CISO level and the board level both, and Yaron and I are diving into this one and I think you're going to enjoy it. So, Yaron, thank you so much for coming back to the Ranch.
Yaron 01:08
Thank you, Allan. Oh, always a pleasure being here.
Hacker Valley Studio 01:13
Welcome to the Cyber Ranch podcast. Recorded under the big blue skies of Texas, where one CISO explores the cybersecurity landscape with the help of friends and experts. Here's your host, Allan Alford.
Allan 01:36
Alright. So, for our listeners who didn't catch you last time, why don't you give us a brief bit about your background and cyber a little bit about your day job?
Yaron 01:42
Yeah, so I'm Yaron Levi, I am the CISO for Dolby Labs. So, Dolby, you've seen us, pretty much you'll see our logo in your stereo system, when you went to the cinema or on your TV. So, we basically focus on bringing more experiences to more people worldwide, and so just it's a fun industry. We're making fun things for people. Yep, been in security for probably 15-plus years, at different companies, was the CISO at Blue Cross Blue Shield here in Kansas City until December of 2020. And also, I spent time in other companies in the past, Cerner Corporation, big healthcare IT company, Intuit, eBay, and others. And I'm a guest from time to time here on the Ranch. Happy to be back here again.
Allan 02:23
Fantastic man, I'm so glad you came back and I'm so glad you suggested this topic, because this is one I've been wanting to get into, but I wanted to find a guest who had done more research than I had, because frankly, I've been so busy, I've barely scratched the surface on this thing. This thing goes deep. So, let's contextualize it a little bit first. So, this is a proposed set of amendments and not a ruling, correct? What does that mean, in terms of the real world? When does the impact hit? What should we expect? How much change should we see coming? What does this mean to us, given that it's proposed?
Yaron 02:51
So, the proposal came out in March, and it's currently open for comments. What I'm hearing is that it's expected to become a rule in October, but keep in mind that the version of the ruling has been floating around since about 2018. So, it's not completely new. I think it's safe to assume that at some point, it will become official, whether this time around or the next time around, or sooner or later. I think it's safe to assume that, given what's happening around the world, and how cyber is becoming or cybersecurity is becoming more top of mind for a lot of organizations, falling bridges, like colonial pipelines and some other things, I think it's just a matter of time that will become, or some form of that will become official. In terms of what we can expect in the real world, well, like I said, with everything happening around us over the last several years, we see security becoming a higher priority and a higher maturity in many organizations. By and large, organizations understand that security is not a luxury anymore, or something that doesn't apply to them. Whether you sell hammers or provide the latest cool social applications, more organizations recognize the importance of security. Personally, I don't think that a regulation is the only reason to do security, but it's a motivator for some organizations, so be it. Let's take the leverage that we can. And then also, we need to remember that regulations are never proactive, and are usually a response to things that happened in the past. So, this is part of the overall maturity progression, and how we evolve and that's just another step.
Allan 04:26
Yeah, that's a very astute point there. And I know, to your point, I know a lot of CISOs who are already acting as if this is going to be law, and are already heading towards compliance with it. I've personally witnessed friends of mine treating it like, "Oh, we gotta get ready for this. It's coming. It's going to be real." And I'm not at a publicly traded company right now. Thankfully, I haven't had to knuckle down, and that's part of the reason I hadn't researched this one so much, as I knew it was a bullet I was at least for now dodging, but that's what I'm hearing on the field. I've got friends that are saying, "Yeah, this is it. We're already treating this like it's real, and our board is taking this seriously and the CEO is taking this seriously and the CFO is taking this seriously." Is that the same kind of buzz you're hearing?
Yaron 04:35
I think, yeah, that's pretty much what I'm also hearing on the industry. Again, if anything, it will push organizations to better improve the risk management practices and better mature the conversation about security, taking it from a predominantly technical risk conversation, to more of a business risk conversation. I think that's ultimately when we need to go.
Allan 05:01
Hallelujah. Okay, so let's talk about the disclosure piece here, because the disclosure piece to me, it's where they spent the most attention in this proposal, to my mind, having read through it all and read the summaries and looked at the analyses from the various experts, or so called experts in the industry, whoever they might be. It seems that the disclosure piece was really a core focus for them, and the part that's interesting to me is they talk about having to file a form 8k, within four business days of when a security incident is determined to be material, right? Four business days, you have to file a new 8k. And their definition of material, of course, is the definition that's already sort of defined in securities laws. If you look at the various securities laws in the US, you know, what they're saying with material, this is basically impact to the bottom line, something vague and soft, like brand damage, isn't necessarily a material risk by those definitions, as I understand it, but anything that truly impacts bottom line, shareholders, etc., would most definitely be. And so, brand damage could in theory even fall into that category. It's a little vague, and that's another area I want to dig into. But let's start with: What is the definition of material as they refer to it in this document directly, as opposed to security's case law kind of thing? And then, a little bit more about this 8k thing. What do you know there?
Yaron 06:29
Yeah, absolutely. Excellent questions. So, I think the proposed rule doesn't define the materiality in the cyber context just yet. I think it's a little open. It's a little vague at the moment. And it's also probably safe to assume that this point may be contested in the courts and things like that. But I think we probably expected to get more clarity in the future, and maybe it is part of this comment period between March and whenever the SEC is going to make it a rule. I assume that that's probably going to be a lot of the feedback they're going to receive, I mean, from different organizations about, "Okay, what is considered or what is defined as material in a cyber incident?" But I think, like you said, in the more traditional sense, a piece of information is considered material if it's reasonable to expect that the disclosure of that information will impact the company's stock price. So, ultimately, it was created to protect shareholders, right? And investors.
Allan 07:17
Straight-forward definition there, but there's lots of room for interpretation and that's why, because brand damage, well, brand damage potentially has a stock impact. But how do you measure the stock impact of brand damage? Can you prove that the stock went down $1 because of brand damage? Or is that a vague and fuzzier thing, you can dodge the 8k requirement, and not file like, this is where I was going when I was asking my question. It's the hacker mindset. I'm always looking for the hole in the system.
Yaron 07:40
Looking for the problems. And you know, there's also so many other interesting aspects where I've seen some academic papers. I cannot pull them right now, because I don't remember where I filed them, but I know I have them on a computer somewhere. And also, there was a blog post that was written by one of my friends, Gunnar Peterson, years ago, I want to say maybe 10 years ago or so. But they actually looked at the performance of the stocks of companies that got breached, and the interesting part is that, even though there's usually a dip after a breach, in the long run, you see all those companies actually outperform the market. So, not advocating, I mean, for companies to get breached because of that, it's not good for business. But it's interesting to your point, like, how would you define materiality? What does that include? Are you looking at right now or in the future? Who knows? I think there's gonna be interesting considerations to look into. Ultimately, breach is not a good
thing. We all know that, yeah, and we have to do our best to protect the company, to balance the risk properly, and manage that. But again, it's going to be interesting how that's going to be defined and how that's going to be measured, because to your point, that could be interpreted in many, many different ways.
Allan 08:45
And the four day thing is the other part that popped out in my mind, because as soon as you say it's a material risk, we have to file an 8k. An 8k is a standard sort of statement of impact. It's not a 10k, which is filed regularly, an 8k is filed when an event occurs. And now, they're seeing cyber events qualify as 8k events, right? And they're saying you have to do it within four days. I have been in the supply chain probably 50% of my career, I've been in companies that were somebody else's supply chain, video conferencing, telecom, whatever products I made or services I delivered, SAAS offerings I had, whenever I was someone else's supply chain. And as a result, being the CISO at a supply chain company, I was frequently sent these questionnaires and all the usual "Do you have SOC2? Are you secure? And do you have this and do you do that?" But inevitably, there's something in those questionnaires and in those contracts about a reporting period, if there's some kind of a breach and the customers data, we're a customer of your company, our data is impacted, you know, you're going to notify us within blah blah as a result. That blip is very often suggested to be 24 hours, I've seen on first
drafts of contracts. I have also seen it pushed out to as far as two weeks and it's hovered anywhere in that range. People always come in saying 24 hours and the people that actually are the supply chain come back and say 24 hours is unrealistic. We can even notify all of our own people in 24 hours, there's no way you're getting notified ahead of our own people. So, the point is four days, to me, in my experience having signed dozens of those contracts over the years, that's really aggressive. Four days to drop everything, say, "Oh, it's definitely material, it's definitely an impact, it was definitely caused by the breach. Here's the facts. Here's the figures. And here's what we were reporting." Four days to turn all that around is impressive.
Yaron 10:15
And it's going to be an effort, and we probably will need to prepare for that. You're right. I mean, we've seen things that are sometimes as little as 24 hours and even sometimes even below that. Yeah, I remember sometimes seeing a contract from a client that was asking for three hours. Wow, obviously, it's how do you meet that? I mean, how do you meet them in that requirement? But the interesting thing is that the SEC is proposing the four business days after the organization determines it has experienced what they call a "material cybersecurity incident." And the question again, is that definition, right? How do we qualify that? Once it's qualified, or until it's qualified, then you may have a grace time, but once it's qualified, then the question is like, "Okay, now the clock starts ticking." Actually, when you read the proposed ruling, they actually define and they say it's an unauthorized occurrence, or conducted through an organization's information systems that jeopardizes the confidentiality, integrity, or availability of an organization's information system, or an information residing therein.
Allan 11:18
Okay, so they're falling CIA and they're falling on infrastructure?
Yaron 11:21
Yes, but it's broad. I mean, you could argue that a lot of things can fit into that. So, it's interesting. It's pretty broad, it's going to make it difficult. I don't know if I'm concerned very much about the time, once you determine to report. I mean, yes, we could argue four days, five days, 10 days, 20 days, there are pros and cons to each thing. But how do you make that determination of what is that material incident? There are different ways of how people are doing that. I think one of the things, or this is not new, but if you think about HIPAA as an example, HIPAA has a breach certification rule and it's pretty decent one, I think they did a good job defining a breach, and basically, it calls for a risk assessment based on four factors to determine whether an incident is actually a breach. If you determine that, then you have 60
days in the case of HIPAA, not four days, but here's the interesting thing, they talk about a breach. The SEC is talking about an incident. These are two different things.
Allan 12:20
These are very different things, and that's exactly what I was about to drill in. Because I thought of a crazy example. You wake up one morning as the CEO and find out that your customers' data is all over the internet. Has an incident occurred? Yeah, maybe, okay, let's even say yes. Do we know yet if it was a cyber incident? Could have been a disgruntled employee took a stack of paper with them? You don't even know if infrastructure or cyber was involved at all. You don't know if IT or technology was involved. This could have just simply been a person sharing a physical book with somebody else, and then somebody photocopied it, now it's all over the internet. So, there's an example of like, okay, so, we have an incident, we'll even agree that that's an incident. To your point even, that's not necessarily 100% locked in, just to say that. Now, is it material? That's its own conversation. Was it cyber? And that's its own conversation. At what point in all of that do you suddenly click it all together and say, "It
was definitely an incident, definitely cyber, definitely material. Now, the clock's ticking. I got four days to report." There are all manner of spectrum there on all three of those slider bars, where you could be completely confused and not 100% on any one of the three. Yes, it was cyber. Yes, it was material. No, it's not an incident. Yes, it was an incident. Yes, it was material. No, it wasn't cyber. You know what I'm saying? There's chaos there to me. And to insist that snap, four days?
Yaron 13:31
To add to that, if you also consider supply chain, using all the third parties that we're using, and sometimes how our systems are being used over a third and a fourth party, sometimes, yes. It could be maybe an incident on the fourth party that ultimately impacted you, and you suffered the breach, essentially, but are those directly on you? So, where do you mark the line? How do you draw the line between what's the scope of what we're responsible for? What do we need to report and what don't we report? That's going to be interesting.
Allan 14:03
Yes, that's another. I'm thinking of some real world examples, just from the last year, where it turned out to be the supply chain was the source of the leak. If it was a cyber material event, if we're gonna keep using those three terms. Yes, it was cyber. Yes, it was an incident. Yes, it was material, but it wasn't the primary entities of cyber infrastructure or IT infrastructure that was at fault. It was a third party altogether. And so, is the third party obligated to report? Or, are you obligated to report?
Yaron 14:28
Yeah, there's gonna be a lot of things that, I guess, will need to be flushed out over time. But it also brings up another interesting point, and I think this is something that for a lot of people, I don't know if they always kind of think about or don't think about who is responsible and who is accountable. Because one would argue that, even if it was a third party that you're using, but ultimately, it's your data or your the company again— Are you accountable for your response? So, there's a lot of gray areas I think we all need to be discussed and cleared over time. Again, it's part of our maturity progression. It's part of how we growing up as an industry, as a practice. It will be interesting to see where it goes, and yeah, we're going into some uncharted territory today.
Allan 15:16
Let's pause right there and hear a brief word from our sponsor.
Axonius Ad 15:19
We get it, another vendor running another podcast ad, trying to get you to check out their product. Instead of explaining to you what our amazing sponsor Axonius does, we've brought in an Axonius customer to fill you in. Take it from Jason Loomis, Chief Information Security Officer at Mindbody.
Jason from Mindbody/Axonius Ad 15:37
The sheer excitement of my team to have visibility into what's in our environment and have it all in one location is just— I can't express how important that is for us.
Axonius Ad 15:47
Want to learn more about how Mindbody enhance their asset visibility and increased their cybersecurity maturity rating with Axonius? Watch the video at Axonius.com/Mindbody.
Allan 16:04
Okay, so, we've talked about disclosure with the four-day turnaround, the 8k, we talked about material definition, we talked about incident definition a little bit. Now, we talk about the 10k and 10Q forms, and these are the scheduled filing forms, as opposed to the when an incident occurs 8k forms, they're saying that a series of previously unreported immaterial and separate incidents would need to be disclosed in the 10k and 10Q as well, if and when they become material and aggregate. So, this is important. If you know you filed your 8k on a specific known incident, obviously, that's going to appear in your 10k later as well. But now, they are saying a series of previously unreported immaterial and separate incidents would need to be disclosed in the 10Q if and when they become material in aggregate. That is a mind blower, to me, because again, I get it, anybody who's done vulnerability management, and anybody who's studied kill chains knows that three smalls can make a big, and that's the logic there. I get that logic, but again, at what point do I determine that this random mishmash of sorted things suddenly is material and in aggregate? And do I have to wait for the aggregation to occur at the hands of the bad guys? Do I have to hypothesize it? Do I have to spot this one thing over here and this one thing over there and the one thing over there and say, "Well, hypothetically, this would be an aggregate and would be material if they were to be," and again, we're talking about incidents, there's a lot getting loaded into that term, too.
Yaron 17:22
I'm going to actually address it from maybe a slightly different angle. But it reminds me something that I heard you saying several times on this show, and also on the previous one, and I remember and I use that metaphor several times, where you talked about the fact that where we are today in security as a practice, it's the same way of finance was before the GAAP rules, the generally accepted accounting practices, right? And this is part of the challenge, because if we don't have accepted and agreed upon GAAP rules for security, we're always going to be threatened. What are we measuring against? We have a lot of frameworks that are similar, but they're also different. In some of those frameworks are not, or actually I would say most of those frameworks, are not very definite. They're also not very prescriptive. So, even within the framework, there's a lot of room for interpretation. The interesting thing
about it is, even within the federal government, by and large, I mean, all of the frameworks within the government are based on NIST, but even the agencies will create their own flavor based on NIST, and sometimes, you will see they even contradict each other. So, again, it's kind of going back to what you said, we don't have those GAAP rules, if you will, for security, right? I was talking to a friend the other day, and we lamented about different things, about our lives and practices and securities and whatnot. And he said something, which I thought was like, pretty funny, but I think it was actually also true when, if you think about it this way, take two CFOs and ask them, "Okay, how do you run a finance practice?" They will probably agree on most things, right? But you take two CISOs and you ask them, "Okay, how do you run a security practice?" You are probably not gonna find two that are going to agree. I mean, you get two very different answers. So, that's part of that. We don't have those GAAP rules. We don't go to business school, get an accounting degree, and kind of rose over time, I mean, to be CFO, it's different. I don't know if it can ever be the same, but it's again, we need to remember we're still a very young practice. We've only been around what? 20 ish?
Allan 19:26
Yeah.
Yaron 19:26
30 years, maybe?
Allan 19:27
Yeah, accounting has been around a tad longer than that. Yep.
Yaron 19:30
And we are doing better. We are progressing. We are accelerating, but at the same time, we still have a lot to do.
Allan 19:37
Yeah, it gets interesting because, and I'm philosophically with you, we need that centralization. I think it's desperately overdue as an industry, we're ready for that big step. There's going to be a lot of us CISOs that balk at it because we've always done it this way, nd the standard we settled on was the other one, there's gonna be a lot of that. There's going to be a lot of, "This doesn't fit my shop." There's going to be a lot of, "Oh, this feels like unnecessary regulation and hassle and overhead and headache and Big Brother oversight," and all those things. There's going to be some of that if we do this, there is going to be some of that, guaranteed. But what's interesting to me is the SEC is putting a foot forward in what is ultimately, and you've already alluded to this in an earlier question here, it's going to fall down to a certain extent on case law. Because SEC is saying, "We've got a rough idea based on securitY law of what material means, we're not going to define it in this document, we're relying on basically case law definition of it and existing securities law, and interpretations that have gone through the courts," etc, etc. Incident is going to run through the same process, cyber is going to run through the same process, all these things are gonna get defined by case law, ultimately, and so the centralization that this represents, I think, is still a good couple of steps shy of that vision you're describing, of having something like GAAP accounting practices for us, right? I don't see that we're gonna get there right away. I think this is a good step, but I don't think we're getting there right away.
Yaron 20:50
It will take that, but here's just an interesting and just kind of trivial point, maybe for your next
cybersecurity trivia night. There's actually NIST 814, published in 1996 and it's actually titled, Generally Accepted Principles and Practices for Security Information Technology Systems. So, somebody thought about it, but we still didn't fully adopt that.
Allan 21:15
Right, right. We never adopted that one. And to your point—
Yaron 21:18
Maybe we'll go back and stop back there, I guess, all over again.
Allan 21:21
There you go, I worked at a shop that was international, and that ran off of both NIST and ISO. And
every audit we did internally, we had to incorporate both NIST and ISO, we had to do both. That's a mess to try to reconcile, dealing with the overlaps and contradictions there. Just recently, I've done a bunch of work with NIST 800-161 and 800-82, both of which are overlays on top of 53 with unique interpretations and twists for, respectively, supply chain and critical infrastructure, even within the NIST 800 world, you don't have consistency or uniformity. So, there it is. So, we've talked about disclosure, we've talked about on-the-spot disclosure with the four-day turnaround and the 8K, we've talked about regular disclosure. Now, this whole aggregate events thing, do we want to talk a little bit more about that? Or, do we feel like we've covered that one enough, this idea that three smalls can make a big How do I make that determination, and when do I report? I mean, that's really, that's it. That's the challenge.
Yaron 22:12
I guess, we'll wait and see. We'll see how that's going to evolve. Yeah.
Allan 22:15
Okay. So, now we're going to pivot, because disclosure is what the ruling is mostly about. But then, they get into some really interesting stuff. They talk about governance and even management of cybersecurity risks, companies would be required to disclose their cybersecurity risk management and strategy. So, disclosure is now not just of events and incidents, its disclosure of your management and strategy. This includes management's roles and relevant expertise, I'm going to emphasize that phrase right there, in assessing and managing cybersecurity risks. This includes disclosure of any policies and procedures, and this is big, we're not even into the actual personnel and the roles yet officially here with this piece of it. And yet, we're already talking about relevant expertise, policies, program, and
management, this is starting to put some real pressure on organizations to not just give lip service, right? Like, what's your take on this one?
Yaron 23:08
Yeah. So, I think history is always interesting, right? I mean, we always have to look at history and learn from history. Until Sarbanes-Oxley came out in 2002, publicly-traded companies didn't even require to have somebody who can read financial statements on the board of directors, which is crazy to think about. Can you imagine having a policy trade company without any single director on the board that can read financial statements? It's kind of unthinkable, right? I mean, it's crazy to think about these days, but only 19 or 20 years ago. So, to your point about expertise, this is something again, we are evolving, we're learning, this is something that we'll have to have. And I think overall, companies will need to strengthen that muscle. It's not just about the CISO, but it's also other functions within the organization around risk management, around how cyber risk ties together with business risk overall,
and financial risk, and so on. Definitely a lot of room for all of us as an industry to improve and mature. Personally, I just don't understand how any organization can function without having a security strategy, or any strategy for that matter, right? If you're a new CISO in your organization, whether you're the first ever CISO for them or not, I don't expect you to have a strategy the day you walk in the door, right? But I think that this is the first thing you need to create, is that strategy, at least have a direction. Where are we going? Have something that will inform everybody around you about, okay, here's the direction, then you can start arguing, the right direction, wrong direction, whatever, but you still have to have something. And I know that oftentimes, and you kind of hear that all the time: What are you going to accomplish in your first whatever, 90 days or whatnot? People rush to execute. Yeah, but this always reminds me, like one of my favorite books is from Sun Tzu, and one of the quotes from there is that strategy without tactics is the slowest route to victory, but tactics without strategy is the noise before defeat. You have to have both. You have to understand first of all, where you're going. And then, okay, how you're going to get there? You can't have one without the other. So, I think in this context, the same thing applies here. I think, as we mature, as a practice, as an industry, overall, as we more and more understand the implications and the impacts of security on everything we do pretty much that strategy is something that is very important for us to have. And I would assume that every company will need to have one.
Allan 25:33
There you go. That's a good overview, and that's a nice segue. Okay, so we've got our strategy. We've got our management, our policies, our procedures, we've published all that. And now, we do get into specific roles, and this is the part where, again, back to the buzz in the community. You know, my CISO friends that are prepping for this, and assuming this has happened, there's two groups of people I've seen that are very happy and very excited about this proposal, and the one group is people who want to become CISOs, and are thinking there's gonna be a lot of CISO slots suddenly opening up. The folks that haven't gotten their first CISO role, but have been looking for it. If this stuff flips over from proposal to law overnight, there's going to be boatloads of new CISO hires, and there's gonna be all these
people that have been wanting to be a CISO getting their first shot at that and that crowd is excited about it. The other crowd that I've seen that's excited about it are the CISOs that have been around for a while, like you and me, who are now thinking, "I could get a seat on the board." And so, I think both crowds are very excited about this prospect, right? There's kind of a board level and a CISO level proposal tied up in all this. They talk about whether there is a CISO or not, where that individual reports to, and whether there's expertise on the board itself. Board of Directors governance over cybersecurity is called out in the sense of how cybersecurity risks are considered in terms of business strategy, this to your earlier point here, risk and financial oversight, and which members of which committees on the board fulfill this function as well. So, they are very, very much getting into the roles now. What do you
think? Is this the right time for people to be excited about if there's gonna be a lot more CISO jobs open up, or there's gonna be more board seats opening up for CISOs? Is that where you see it going?
Yaron 27:04
Yeah, that's really, really interesting. I don't know. I think on one hand, yes, it's going to be beneficial for companies given that security is becoming such a higher risk in this digital world, to have a representation on the board that can help represent and help kind of manage that risk, then provide oversight for that risk. So, I think from that perspective, again, similarly towards Sarbanes Oxley did for financial risk, things like that, I think it's important. What I'm struggling with is: How will that function without having the security, quote unquote, GAAP rules in place? So, what standard are you going to hold yourself to? How are you going to measure? How are you going to provide it? There are several, I know, there are a couple of initiatives in the industry that there's a gentleman by the name of Bob Zuckuss, digital directors’ network, right? And Bob has been beating this drum and championing a lot of those ideas and proposals and being very vocal on like, "Hey, we have to create those things, we have to create those frameworks, we have to manage the risk properly," because that's important.
Allan 28:11
He's roped in some real talent into that organization, and a lot of folks I really respect had been through his program and gotten his stamp.
Yaron 28:17
Yep. So, that's one. The NACD have some programs in place. So, I think, overall, I think it's a really positive move, in terms of, again, elevating the conversation, educating, providing more expertise, providing more knowledge, which ultimately, all of us will benefit from. All of us, like community and society in general, right? Because, again, we're so dependent on technology, we're so dependent on this digital world, and it can be abused, as we've seen, for many bad things. So, I think it's warranted for us to have and to elevate that and to continue mature that and I think, putting that at the board level, or raising that to the board level, which we already see happening. I know many CISOs regularly report to the audit committees and to the Board of Directors, it's definitely something that is top of mind for a lot of CEOs and boards, and so on. So, we're going to continue to see that rising. Yeah, and I think it's important.
Allan 29:12
Yeah, I think so, too. And it's interesting, you cited DDN, NACD. There's a piece there, this ties back to your strategy and tactics comment from Sun Tzu is we oftentimes, in the cyber world, look at the framework like NIST 800-53, or CSF, or ISO 27,001, we look at the framework and think of that as the strategic, and the actual implementation of the various controls to fulfill that framework is the tactical. What we're really saying is we have to elevate this level of discourse one more level up, to where the framework really is the tactical, because the strategic is how you take a cybersecurity framework and integrate it into a greater world of business, business risk, financial planning, business planning. It's the piece that isn't in most of the cyber standards, is the part that's bigger than cyber. That's where the standards are lacking to me and that's where it, in my mind, that's kind of where the SEC is going with
all this in the first place. They're trying to hone in on that deficit. It's like, "Okay, great. So, you've got an 800 S53, and you can check a bunch of boxes and show that you deployed this tool and that tool and conformed with this requirement here. They're in there, but how does that fit into the bigger business picture?" How does that fit into both the management and the governance of your business? How is it benefiting and affecting shareholders? So, I think that's the missing piece that SEC is trying to hone in on here. That's kind of my take on it.
Yaron 30:23
Yeah. Absolutely. Yeah, I think that's a good point.
Allan 30:28
Alright. Well, listen, we are getting close to time here. Do you have any more closing thoughts,
comments on all this SEC proposal? Any other words of wisdom you want to share with the audience?
Yaron 30:37
Well, again, I think like, as we talked about, before, it's a matter of time. Whether it's this time around or next time around, something will happen. I don't think it's a matter of if, again, it's a matter of when. borrowing from this sentence that we hear a lot about breaches or whatnot. Right? But again, this is something that is part of our maturity progression, it's part of our growing up as an industry and as a practice. This is something that we have to evolve into, and we are not special in that regard. We are not different. We can probably look at other industries or other professions or other functions that went through the process, and figure out what we can learn and leverage from that. So, yeah, build good relationships with your finance department and the finance teams, and talk to them about how they think about financial risks and business risk and things like that. I think, yeah, we have a lot to learn from each other.
Allan 31:25
Yeah, we do. That's great advice. That's fantastic. Alright, Yaron Levi, I got one last question for you. I ask all my guests: You get a magic wand, you get to wave it, and change one and only one thing about the entire world of cybersecurity. Could be people, process, technology, anything goes. You get to change one thing about cybersecurity, what's the one thing you would change with your magic wand?
Yaron 31:46
Well, that's so hard, just to pick just the one, but I think just kind of given our conversation here, I will go with, Allan, finally is agreed upon GAAP rules for security. That's my magic wand. Waive that, and if we could get that, I think that will help us a lot.
Allan 32:04
There we go. There we go, and I can quit using that metaphor. Oh, that's awesome. Alright, well, Yaron, thank you so much for coming on down to the Ranch. Thank you, listeners. Y'all be good now.

00:00:00