August 31, 2022
by Cyber Ranch
Yaron Levi, current CISO at Dolby and former CISO at Blue Cross Blue Shield in Kansas City, comes down to the Ranch to talk about the March 2022 proposal from Securities and Exchange Commission (SEC). Titled the Cybersecurity Risk Management Strategy: Governance and Incident Disclosure, this report has huge implications for cybersecurity in any publicly-traded company. Yaron walks through his research into this report and explains what this means in the future for real-world cyber practitioners.
[00:00] Introducing the Cybersecurity Risk Management Strategy: Governance and Incident Disclosure
[08:45] Explaining filing 8-Ks and 4-day turnaround disclosures
[14:03] Debating the obligations of a third party in an incident (i.e. supply chain)
[16:04] Comparing SEC’s cyber proposal to accounting’s GAAPs
[25:33] Involving the Board of Directors in cyber risk management
Thank you to our sponsor Axonius for bringing this episode to life!
Manual asset inventory just doesn't cut it anymore. That's where Axonious comes in. Take control of security complexities by uncovering gaps in your organization. Sign up for a free walk through of the platform at Axonius.com/Get-A-Tour
This is a proposed set of amendments and not a ruling. What does that mean, in terms of the real world?
Although the proposal was initially released in March 2022, Yaron explains these current rulings have been floating around the industry since 2018 and aren’t expected to become solidified until October 2022. In the meantime, many in the industry are curious about what these regulations mean for any and all cyber practitioners. Yaron understands the concerns many have, but also emphasizes that this is a maturity progression for the cyber industry.
“With everything happening around us over the last several years, we see security becoming a higher priority and a higher maturity in many organizations. By and large, organizations understand that security is not a luxury anymore, or something that doesn't apply to them.”
Is this proposal starting to put some real pressure on organizations to not just give lip service to cybersecurity?
Lip service to cyber is an unfortunate commonality among publicly traded companies that want to look safe without putting the effort or expertise into security. Thankfully, Yaron believes this SEC proposal will accomplish a great deal in encouraging companies to develop and mature their cybersecurity teams and protocols. As cyber management roles and board integration becomes a must, lip service will give way to real strategic change and a better understanding of the impacts and implications of security.
“I think, as we mature as an industry, and as we more and more understand the implications and the impacts of security on everything we do, strategy is something that will be very important for us to have. I would assume that every company will need to have one.”
Is this the right time for people to be excited about if there's gonna be a lot more CISO jobs open up, or if there's gonna be more board seats opening up for CISOs?
Yaron believes this SEC proposal will elevate processes and initiatives already in place to continue to elevate the expertise and opportunities within cyber. While many may see an increase in CISO roles and board opportunities, it's important to note that it is not just about roles and jobs, it’s about cyber’s maturity. Our community, not just in cybersecurity but throughout the world, has become dependent on technology and its vital to have individuals leading with maturity and competence to keep these technical processes secure.
“Overall, I think these strategies are a really positive move, in terms of elevating the conversation, educating, providing more expertise, providing more knowledge, which ultimately, all of us will benefit from. All of us, and community and society in general.”
Do you have any closing thoughts or comments on this SEC proposal?
While Yaron breaks down individual elements of the Securities and Exchange Commission proposal with Allan, he understands that the most essential impact of the proposal is the potential it has to elevate the industry. Maturity and legitimacy is desperately needed in order to create cybersecurity’s own version of generally accepted practices. In the same way that accounting has GAAP, Yaron hopes this SEC proposal is a sign of the cyber industry growing up, coming into its own, and creating more secure processes in risk assessment.
“These proposals are part of our maturity progression and are part of our growing up as an industry and as a practice. This is something that we have to evolve into. We can probably look at other industries and figure out what we can learn and leverage from them.”
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store
Continue this conversation on our Discord
Allan takes the show on the road again, this time at his all-time favorite conference: CISO XC! He asks a unique question of each guest, who represent a great deal of breadth in our industry: Dave Belanger, CISO at Bestow Insurance - What is the most...
Howdy, y'all! Allan is taking this week off to spend time with family and to give thanks for all the wonderful things in his life - including y'all! For those who don't track it, there is no Cyber Ranch Podcast four times a year: American Thanksgiv...
Warning, there might be some naughty language in this one! The challenge was issued!!!! Allan teamed up with TWO other podcasts to take on the insufferable marketing that floods the cybersecurity industry in the month of October! Who won??? "Won"? Th...
Howdy, y’all, and welcome to The Cyber Ranch Podcast! Our guest today is Evan Wolff, partner at Crowell & Moring, and Allan's favorite cyber attorney. Evan has led and managed 100s of investigations including cybersecurity, data breach, insider...
Howdy, y’all, and welcome to The Cyber Ranch Podcast! That’s Tim Rohrbaugh, Founder/Principal at DefaultDenySec, former CISO for JetBlue Airways, advisor, investor: yup! Another Cyber Ranch guest with an awesome history! Tim and Allan were chattin...
Howdy, y’all, and welcome to The Cyber Ranch Podcast! We're joined today by Jacqueline (AKA “Jack”) Powell, CISO at Allianz Life and former Deputy CISO at Hanes. She has also consulted, and has worked at Chevron, General Dynamics, and SACI. Jack h...
Howdy, y’all, and welcome to The Cyber Ranch Podcast! That’s Kymberlee Price, strategic security consultant, Black Hat content review board member, former Sr. Director of Product Security at New Relic, former Principal Security Manager at Microsoft ...
Chris Tillett is a well-known figure in our industry. He is in product management and R&D at Palo Alto Networks. He is also a great guy, funny, and can wield the snark quite well. He is the perfect foil for Allan Alford as the two of them take...
Howdy, y’all, and welcome to The Cyber Ranch Podcast! Joining Allan this week is Ron Nissim, CEO @ Entitle. Yes, this is one of our rare shows with a vendor as a guest. Why? Because in this case, the vendor was more highly informed than any of Al...
Allan is joined by AJ Grotto: William J. Perry International Security Fellow and Founding Director of the Program on Geopolitics, Technology and Governance at Stanford University. He also serves as the faculty lead for the cyber policy specializatio...