Dark Reading Confidential: The CISO and the SEC

Episode 1 of Dark Reading Confidential brings Frederick “Flee” Lee, CISO of Reddit, Beth Burgin Waller, a practicing cyber attorney who represents many CISOs, and Ben Lee, Chief Legal Officer of Reddit, to the table.

Dark Reading Staff, Dark Reading

May 10, 2024

51 Min Listen

Transcript of Dark Reading Confidential, Episode 1: The CISO and the SEC

Editor's note: The transcript below was edited for clarity to reflect that Tim Brown was the only SolarWinds officer charged by the SEC.

Becky Bracken, Senior Editor, Dark Reading:

Hello everyone and welcome to Dark Reading Confidential. It's a brand new podcast from the editors of Dark Reading where we are going to focus on bringing you real-world stories straight from the cyber trenches. I'm Becky Bracken, your host, and today we are diving into the increasingly complicated relationship between the Security and Exchange Commission (SEC) and the role of the Chief Information Security Officer (CISO) within publicly traded companies. We're joined by an incredible group of experts today who are going to talk about the CISO and the SEC.

We're joined by Frederick “Flee” Lee, CISO of Reddit, Beth Waller, a practicing cyber attorney who represents many CISOs, and Ben Lee, Chief Legal Officer of Reddit. I'm also joined by Dark Reading’s Editor-in-Chief Kelly Jackson Higgins as well as Dark Reading’s Managing Editor of Commentary and Copy Jim Donahue. And they are going to help us explore this topic in-depth.

First, I would like to bring in Kelly Jackson Higgins, who's been looking at this topic for a long time, so that she can sort of get us all caught up with where we are now and help us figure out where we stand. Kelly?

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading:

Thank you, Becky. And thanks for our guests today. We're very excited to have our inaugural podcast episode on such a timely topic. So just to sort of set the stage a little bit, the industry is sort of in this new uncharted territory region that's really put CISOs in the hot seat more than ever. We're about almost a full year now into the SEC announcing its new rules, requiring disclosure within four days of a quote material incident or breach.

They announced it back in July of 2023. But the SEC didn't specify the criteria for material incident nor even specify when the clock starts ticking for disclosure. And now there's also rules about in your annual reports, you have to talk about your assessment, how you assess, identify, and manage material risks from cyber threats and perspective. I'll leave the legalese details to Beth and Ben to explain better to you, but it's gotten really complicated.

And actually in the last, this past year, we've had two CISOs in the headlines — not for good reasons. In May of 2023, before the SEC announced these rules, we had the story where Joe Sullivan, the former Uber CISO was convicted of two felonies that came out of the 2016 Uber data breach. He was given a $50,000 fine and 200 hours of community service, but was literally threatened with jail time initially.

The judge actually said to him, I'm not quoting exactly, but basically tell their CISOs that quote, you got a break, end quote. So it was a little bit disconcerting to a lot of people. And then late last October of last year, the SEC took its first real action and charged Tim Brown, the CISO of SolarWinds for misconduct related to the disclosure of their 2020 supply chain attack on the SolarWinds Orion platform.

Basically, the SEC was arguing that there was a discrepancy between what Brown and his other SolarWinds employees were talking about internally versus what they disclosed publicly to investors. So needless to say, CISOs now face a lot more challenges, sort this dual challenge of properly interpreting what the SEC means by what actually applies to the new rule for cyber incident as well as their own personal liability.

So this whole new stressful job becomes even more stressful; putting more weight on the shoulders of this one human, the CISO. So with that, I'm going to hand it back to Becky, because we really want to hear from the actual people handling this, not from us talking about it.

Becky Bracken:

I want to go over to Flee because I've heard from many other CISOs talking about just the emotional toll, the stress and worrying about your own personal, reputational, professional liabilities. Can you talk a little bit about both what you've experienced and what you're hearing from your colleagues?

Fredrick "Flee" Lee, CISO, Reddit:

Yeah. So, you know, at least from an experience standpoint, it does make you a little bit more nervous, right? Like the job in and of itself is already stressful, as you had mentioned. CISOs traditionally don't have as much power to actually impact and influence some of these things as maybe others think. So, you know, one of the concerns is always like, hey, am I now liable for something and responsible for something that I may not have full autonomy and full control over?

Right. So, you know, when you think about some of the other CISOs that have maybe actually been in incidents or had incidents, often they actually know the right thing to do. And they have even communicated to the company, hey, “I think this is the path we should be taking.” But they're not always resourced in order to actually do those things. So now we're in a position where, hey, you can know the right thing to do. You can even advocate and lobby for the right thing to do. But you still have personal impact based on decisions that are outside of your control. Right.

And that definitely can make you stay up a little bit longer at night. And just transparently, I think it's also going to impact how people think about taking certain positions and taking certain jobs. Like would you be willing to be a CISO for a small scrappy company that maybe doesn't have infinite resources now knowing that you also have this additional liability there? The other thing that makes me nervous about it, and I'm sure other CISOs as well when I talk to my peers, is that most of us actually spend our time thinking about how to be good at security. And we don't always know all the intricacies of some of the laws and some of the regulations. Like Joe Sullivan, who's a great CISO, had the advantage, and he's also a lawyer. So that did make it a little bit easier for him to actually understand and navigate through the process. But I'm just, like, a reformed hacker.

And I don't know, like, the intricacies of that. So if I were in that same position, I may not get the same leniency that Joe did or have the same level of success there. And it is, it's one of those things that I can totally see other people at CISO saying like, Hey, maybe I don't want to work for this company or Hey, you know what? This is no longer worth the risk to me personally, because the other thing, unfortunately, is that now these CISOs, you know, who have had litigation from the SEC.

Now these CISOs, their names show up in Google and that's like the first hit. And that's not great from a reputational standpoint because at the CISO, one of the things we sell is trust and our trustworthiness itself. And so an employer who might see something, you know, that the SEC filed or claimed against somebody won't have all the context and nuance about how that even got manifested. They wouldn't know the scenario that, hey, maybe this is a CISO that didn't have the right resources or maybe this is a CISO that did advocate and did all the right things, but ultimately the broader company decision won over.

Becky Bracken:

Okay. Well, let's unpack both internal pressures and then the external pressures. And so Ben, maybe you can gut-check us on, please, within the corporate structure sort of the lack of influence that they have. As a chief legal officer of Reddit, what do you think a proper leverage should you say or influence should a CISO have versus what you're seeing they actually have within a corporate structure, sort of managing up the security process.

Ben Lee, Chief Legal Officer, Reddit:

Hmm. Okay. Well, that's a bit of a challenging question. I'll try to unpack it as best as I can. And of course, I, with all the caveats that I'm only describing, like, frankly, like what I've seen, for example, at other companies, other than Reddit and other, I think being, Flee is absolutely right. Being a CISO is challenging. You are fighting for resources that you think are necessary to kind of do the right thing on a substantive level.

You know, you need to negotiate internally the right sorts of relationships, both with the other execs in management, but also, you know, in certain circumstances with the board and, and, you know, in a way that you can kind of properly contextualize for them, the risks that the company is facing and whether it's properly facing them in terms of resourcing and in terms of the reaction.

I think if you actually dig into the gory details of each of these specific things, and I only know what everybody else knows in terms of the public details, but just in terms of the gory details that the SEC presented, these are clearly like horribly, the relationships went bad, and they went bad, and it's clear Joe's relationship with his new CEO was not in a great place. And that, you know, the CEO and possibly the board did not trust him. And what that was based on unclear, but effectively, you can't be an effective CISO if like your CEO thinks you're lying to them.

Becky Bracken:

Which is exactly what Flee was talking about a moment ago with that trust issue. That's part of what you're bringing to the table.

Ben Lee:

Exactly. And I think the SolarWinds case is similar on an external basis. Like, do your customers trust you when they're saying, when you're representing what's going on internally? And in the SolarWinds situation, ironically, like what Flee mentioned is kind of struck me as pretty interesting because, I think there was this very telling exchange where somebody actually texted somebody internally said, “oh, I just lied to our customer.”

That wasn't Brown that did that, but it was somebody on his team. And in some sense, he's responsible for the way the team operated and the way they responded to their customers. And in that sense, it's a part of your role that you don't really think about is what is the kind of culture that you're giving your own people in terms of how they're responding in such stressful situations.

Becky Bracken:

Excellent advice. Now, Beth, can you walk us through really what the stakes are externally? What a CISO can find themselves in currently and really what sort of worst-case scenarios are we looking at?

Beth Burgin Waller, cybersecurity attorney:

I think there's a couple of things to think about. Obviously, what keeps us all up at night is having a major incident. And I think we need to also kind of take a 40,000-foot view or take a big step back here and remember, you know, we're still the victim of a crime after an incident. There's still something that occurred. And I think that there is this heightened level of, you know, examining the CISO or looking at the CISO under a microscope after an incident. And so, but at the same time, this is almost one of the few areas where we blame the victim and we say, okay, well, you left your car unlocked, and so the criminal came by and they broke in and they took stuff, but you're the one to blame because more so than the criminal in some ways because again, you left the car door unlocked, right? Maybe you didn't have your MFA. And so, you I think that it is hard when you're looking at this, you know, the CISO liability after an incident and you're having the SEC start to examine you, you have, you know, again, looking at kind of the risk or what's the chessboard of bad moves that can occur to us, you know, after an incident or what can happen with the CISO is obviously you get.

Becky Bracken:

Such an excellent point, Beth.

Beth Burgin Waller:

You get the examination from the SEC about your disclosures, what was said, when was it said, did you make material misstatements in those disclosures about the level of security that you may or may not have. But also then you have the possibility of being named in multitudes of lawsuits, right? Class action lawsuits brought by potential data breach victims, also shareholders, shareholder derivative lawsuits, customer lawsuits if you're B2B, right? Things of that nature and you lost significant data. So there is obviously that looming threat of potentially being either named or even just opposed, right, in a lawsuit.

And I go back to, you know, what my other commentators said today, you know, the idea that, you it's emotional, it's stressful, it's already a stressful job, there's already so much on you, you're a security professional, you're trying to guard against all the different ways that the company could be broken into, and now you've got to look over your shoulder to say, am I going to be attacked after, by my... by my own shareholders or by others in the field or whatnot after an incident occurs.

So I think that there's a lot of risk and there's a lot of things that CISOs need to be thinking about. And I think the SEC has really kind of zoned in on that and said, look, we need to see these disclosures not only in terms of the incident being disclosed right away, but also in terms of your continuing obligation to tell us about what it is that's there that's risky in your company.

Becky Bracken:

Yeah, and Flee, you explained earlier that the material impact of that is you are driving talent away from the CISO position, correct? What are you seeing among your colleagues when they're considering taking these jobs?

Fredrick "Flee" Lee:

Yeah, I mean, one, it does mean that some of them are being a lot more conservative in their approach, then probably is actually helpful and useful and good. Right. You know, it's the classic, well, if I just, you know, buy IBM, I won't get fired. Right. It's like, oh, hey, if I do these things that we think the SEC thinks is okay, yeah, I won't have an issue. But sometimes there's a gap between the knowledge of regulators and the innovation that needs to occur in the industry.

For example, we're talking a lot, you know, about things like, you know, AI, you know, new ways that can utilize cloud services, new things around mobile computing. Those are things that the SEC and regulators don't have the time to actually catch up on yet. But also we have to be innovative and we have to actually think, well, how do I actually truly protect against the attackers? Cause the attackers are innovative, right? And we have to maintain that innovation curve.

When you have regulations that at least can appear chilling or can it can appear scary, it can cause people to actually have a pause and ultimately not have the kind of security that we would actually like to have. I think what this means also on the CISO role is that some companies, as I mentioned previously, who would greatly benefit from a good technical innovative CISO. They may not get that opportunity because that CISO may now be viewing those companies in and of themselves as a personal liability.

We always have to make choices when we're choosing an employer about like, hey, how viable is this employer? Are they going to be around in five years? Is my paycheck going to come on time, et cetera? Now, with a CISO, you also have to think, oh, if I work for this employer, will I have a legal liability that I haven't had before?

Becky Bracken:

And it goes back to what Ben said, getting into a culture of trust where you have a symbiotic relationship of trust with your board, right?

Fredrick "Flee" Lee:

Yep. And, you know, there are some good things there. You know, I do think that more and more CISOs should be, for lack of a better word, interviewing the companies that they're joining to kind of know in advance, like, hey, am I going to be set up for success? Am I going to have the kind of resourcing that I'm going to need? Do I have alignment with the board even before starting on what their philosophies are around security? Do I have alignment with the CEO and the founders on that? Because that's all going to impact your decision now to actually be at that company and to be successful.

Becky Bracken:

Good advice. Now, Kelly, can you walk us through a little bit about... because our regulators, they don't have malicious intent. I mean, they're trying to do good things. They just maybe don't understand the unintended consequences of those. So maybe you could walk us through a little bit of reality versus intent.

Kelly Jackson Higgins:

Yeah, I we all know the SEC had good intentions, right? The idea of what they're doing is a good idea. It's just the whole reality, right, for CISOs and organizations. And Flee, you touched on this a little bit a few minutes ago, but I'd love to talk to you more, have you talk a little bit more about just how you measure this, how you weigh the transparency piece, right?

Also, we're still not quite clear on some of the definitions of material for a cybersecurity incident. So talk a little bit about how you're handling that thought process right now and how other CSOs you've talked to are doing this.

Fredrick "Flee" Lee:

Yeah, and I love that we're talking about the intent because actually, I agree with the SEC's intent. It's good; a really, really, really good intent. This kind of idea that, hey, at a minimum, you're a publicly traded company. Your investors need to know. They need to actually have insight in how you're operating. They need to know certain risks. They need to know if the investment that they're making is going to be sound and if they can have the info they need to make a good decision going forward.

So I think that's actually a great intent. I do believe there are other ways to actually achieve it. And at a minimum, some additional supplementary ways. A lot of this with regards to the desire for transparency are things that CISOs should already be doing, right? Currently, a lot of us do that via like sharing certifications. So for example, Reddit has a SOC 2, we have ISO 27001, like… If somebody wants to know about Reddit security processes in our program, we actually have assets for them to do that.

Many of my peers were also doing similar things. We were saying like, “Hey, we're doing attestation via third parties and some neutral entity that also has a lot more context on security that can give a more holistic and helpful answer.” So I think tons of CISOs are already doing that.

Where I think some of the hesitancy and some of the angst is coming from is, well, what should that transparency actually look like versus maybe what the SEC is asking for? And also recognizing that some of the things in our world have a lot of nuance. So things that the SEC might be asking to disclose aren't necessarily as helpful to investors and not helpful to the SEC itself. And that we have a different language that we communicate in.

And that language, especially for the people that need to know, is there for a specific reason, right? We have specificity in the language. Yes, it can come across somewhat pedantic, but it's actually for a reason, right? And I think the way that the SEC's guidance is currently written, it doesn't give enough verbosity and enough like explicit guidance about how we should be communicating that transparency. And that's where I think there could be some issues moving forward in the future.

Because yeah, we can disclose tons of things, but what happens if I disclose the wrong thing? Or what happens if my disclosure language was too technical? Because that's also a risk. It's like, hey, I'm talking about something that's actually deeply technical. I believe that it's important, but it may not be something that investors can properly interpret. And so now we're also in this world where CISOs...  need to learn yet another language, right? Like, hey, we've learned the language of engineering because we are engineers. Then we learned the language of, you know, product and business so we can actually be effective inside the company. We learned the language of legal. So we can actually, you know, be good collaborators with our general counsel. But now we're being asked to learn the language of investors and regulators, which is useful. We should, and hopefully actually try to get there, but it is a different burden than what you actually might expect for other leaders at a company.

Right? And that's where it also gets complicated.

Kelly Jackson Higgins:

So you have to have multilingual on your resume, for sure. So yeah, you touched on some other things too, the whole idea of having to give this annual report as well that talks about how you handle a cybersecurity incident. I think you touched on that being difficult. How much can you say there without giving away your security strategy too, right? You have to be careful. Like how do you balance that?

Fredrick "Flee" Lee:

Oh yeah, and it's hard and it's interesting, you know, another member of the Dark Reading CISO advisory group, Kurt John, he was talking about this concept of like, hey, you know, as security practitioners, we actually do do a lot of things that we at least as practitioners believe are the right things to do. And he kind of came up with this concept, which is a corollary to GAP, right? Like we know accountants, the SEC deeply understands this idea of generally accepted accounting practices.

What about this concept of generally accepted security practices? Right. And are there things that we as an industry can be doing to make that easier and also to be further led by practitioners as opposed to well -intentioned regulators? Definitely well-intentioned, but that nuance is definitely missing there. And that's where things like, hey, we kind of all know that we, you know, when I go and look at another company, I have a vendor assessment process and I actually go and look in and dive deep.

You know, why are these kinds of things not the things that actually are included in some of the SEC guidance? And I think that is just more because we didn't have as many practitioners involved in molding and shaping that as maybe could have been done. But we do know as an industry that we actually do have some standard things. And, you we pulled from things like, know, NIST cybersecurity framework, right?

Um, we, we pulled from things like OWASP Top 10, Hey, are you checking for these kinds of vulnerabilities, et cetera? And that's what I mean with the kind of like these generally accepted security practices, AKA GASP. Kurt has been gracious enough to accept that acronym. Um, but it is one of the things that I think we can actually do a lot more. Um, but I think that there are other mechanisms to help with that transparency and that transparency is needed. That transparency, in my opinion, is something that we owe to our customers and our investors, et cetera. I think like the consternation here is just all around, hey, is the SEC the optimal body to help us with that transparency and the optimal body that can help us form the right regulations there?

Kelly Jackson Higgins:

Speaking of regulations, the SEC is not the only regulator out there. Beth, I know we spoke a little bit recently about just sort of overlapping regulations that your clients face. Can you talk a little bit to that? So how to strategize that when you're talking disclosure from various regulatory frameworks?

Beth Burgin Waller:

That's right. I think the issue is that once you have an incident and it is a major incident, let's say it's a ransomware incident, automatically you start a clock on a lot of different, depending on the nature of your business, on a lot of different possible regulator notifications that need to go out the door. So we're all, a lot of folks are at least familiar with GDPR, the General Data Protection Regulation out of the EU. It has a 72-hour window to give notice to regulators in the EU.

You also have, if you were a Department of Defense subcontractor, you might also have another 72 -hour window that kicks off to give notice under the DFARs of an incident in that particular space. Then you have other industries or other industry -specific regulations. So if you're critical infrastructure, you have CISA's new proposed notification obligations, which are very hefty, right, and are being currently under public rule commentary at the moment.

But then also, depending again on the nature of your industry, you can be in the financial sector and have a 36 hour window. You can be in the energy sector and have a four hour window. You can have a lot of different notification obligations that kick off. And frankly, if you are a multinational company, these notification obligations can all kick off at the same time, right? So you're the victim of a crime. It's not happening at 11 a .m. on a Tuesday when everybody's there. It's happening, you know, 1 a .m. on a Saturday on a holiday weekend.

And you're beginning to have to think through all these different notification requirements. And now we add in the materiality obligation that SEC has put on us too. So that idea of needing to give a notification that we've experienced a material incident within four days of reaching that materiality determination. And as Flea said and as Ben has indicated and as we talked about, it is a little bit squishy as to what is material and what is material for one company may not be material for another. And so, and what needs to be disclosed in those material notifications is also a little bit different. Now, again, being the lawyer and putting my evil villain lawyer hat on for a second, I kind of like that, right? I like the ambiguity there because again, it means that I can have flexibility based on the client and the circumstances to give the notice that may be appropriate for those particular issues. But if I'm thinking about it also from the perspective of protecting my organization, protecting the CISOs that I represent.

The key is also to be consistent across all these things. And again, keeping in mind, we're in the middle of potentially our worldwide operations have been hit with ransomware. We're down. We don't have phones operating. We may not be on email. We may not be on our normal network. All these things may be going on. We're coordinating with forensic teams. And then we're having to think through what are we putting out there about what it is that we've experienced. And we need to be consistent across the board. On some of these notification obligations, they are covered by certain privileges. On others, they're not.

And they're potentially discoverable in that later potential class action lawsuit or SEC filing that can occur or even criminal prosecutions that could potentially occur after these events. And so it's incredibly important for CISOs and the legal teams that work with those CISOs, be it in -house and outside, to be thinking about what is the narrative that we are saying based on and what is it that we know at this time? And are we accurate about what it is that we know at this time?

And sometimes that can be challenging because you want to come out and be able to say out the gate, customer information wasn't impacted. Well, do we know, right? Do we know how bad it is in the first few hours? Most of the time, we don't. And so I think that's really where it gets to be very complex, very quickly, because you have these multiple clocks that begin counting down on you the moment the incident occurs.

Kelly Jackson Higgins:

The other issue that we've seen a lot of the news lately too is, and it kind of touches on the supply chain theme, is when a particular vendor who has widespread products has a vulnerability that literally is an exploit that goes viral and everyone's getting hit, you've got to quickly patch. Ben, how do companies kind of approach that? Like, are you liable if you're one of the users of that software that was being exploited wildly? How do you figure that out in this whole SEC regulatory space?

Ben Lee:

Yeah, let me layer on a couple of things. I mean, I'm going to largely riff off of what Beth said and all that. And it's just this recognition that, well, actually, maybe let me start with a little bit of a reaction to, if I put on like an SEC hat, and that's not a hat I would normally put on in this context, there's a lot that the SEC has done here that is actually quite normal.

It's actually something that is very familiar. In other words, the concept of materiality, again, not giving legal advice, but like the concept of materiality is a well -known concept to everybody who has to kind of live in the corporate side of corporate law side. And it's really built around, hey, businesses that know material information have to disclose them in certain ways. And..

You know, I think there is this large realization that, oh my gosh, a breach is a very material event. And the importance of like doing well in this area is suddenly, that that's what's motivating what's going on here. And it's really about like, at what point do you figure out that something is important enough that it's something that you really do need to tell your customers. You do need to tell the public, you do need to.

Like layered on top of it is this other thing, which is of course, the universe is complicated. Like our software stack is extremely like, where do we put some of our most sensitive customer and employee data? We actually don't home grow these. I mean, I love like hacking, putting together my own MySQL database, you know, but like the reality of it is if that's where we're holding our customer data, that's not great. So we rely on vendors and those vendors,

Sometimes they're good, sometimes they're bad, sometimes they really suck. And sometimes they are like literally breached in front of you. I was involved in an incident where a vendor got breached at a prior place and myself, along with the GCs of several other customers, pretty large customers of this company were arguing with this particular entity saying,

Why in hell have you not disclosed this breach? Like, why have you not put out a press release on this? Why have you not done more? Like, in other words, doing what the SEC says is a good thing to do and is now mandated, which is this is material, for gosh sakes, please tell the public about it. And you can see the interactions here because why do I care?

It's because my own employees may be affected. My own customers may be affected. I want them to know. But it also reflects the complexity here at this point. Whose obligation is it to notify? And how do we talk about it even? In some sense, like the simplistic, I file an 8K regarding my business.

There is this complicated network of companies. We all rely on each other. We are all part of this larger fabric. And when there's a breach, as we saw in the solar wind situation, there was a long list of secondary effects that affected a large part of the industry. And how do we talk about that in an effective way is really a challenge.

Well, I think we have a pretty good understanding of the deeply complex things at play here. So getting down sort of to a brass tacks, practical advice, Beth, what can and should CISOs be doing to protect themselves? What advice would you give a CISO looking at stepping into this space or one that already is knee deep in it and not sure where to go?

Well, first of all, I really would suggest that they work hand in hand with legal, right? Work together with your in -house counsel, work together with your GC on your concerns. I think having a good relationship with your legal team or even getting outside counsel involved in that process is an incredibly important tool because it isn't always on just the CISO to understand what do I need to worry about here with regards to materiality and reporting and.

Beth Burgin Waller:

You know, the legal department is really there to support that mission and so I would really recommend going in that direction. The other big issue that I would really think about if I was a CISO and what I advise CISOs on is, you we talk about a chief information security officer, but oftentimes you're not an officer, right? You are not an officer of the company. And why does that matter? Well, it matters for things like the directors and officers' insurance policy, right? The D &O policy. And so what you would want to make sure of is that...

you are talking to your risk management team about, am I covered under the DNO policy of the company if there is a lawsuit? I mean, the company is likely to step up and represent you anyways in the event that you're named in a lawsuit alongside the company. That being said, you really wanna make sure that you're covered under that DNO policy in some way. If you're not covered under that DNO policy, then my recommendation, again, this is not meant to be legal advice as Ben said too, but my recommendation is, or typical lawyer disclaimer, disclaimer.

But the other recommendation is to make sure that you get your own insurance. So a lot of CISOs that I work with have actually gone out into the market and gotten their own insurance to cover themselves on the side. If you're going to that step, though, one recommendation I would make is also to bring that to the attention and risk management team at the company to see if the company will pay for it. Try to get the company to step up and help you with regards to these things. If they don't, or even if they do, I still think it's always wise to carry some sort of insurance over that particular area of risk. And then the other bit of, again, kind practical advice, and this is just to be very thoughtful about what you put in writing. You we talked a little bit about text messages, about Slack messages, and things like that, comments that are found in post -incidents that can become problematic. Be thoughtful about what it is that you put in writing. If you've got to put something in writing, related to risk, again, pick up the phone and call the legal team before you do or go and say, go sit in their office and say, I have a problem and we need to talk about it. We need talk about how we're gonna say it, right? And it needs to be said. But also, if you're not being heard, then that's also another concern or consideration. And I would also think about how do you have a direct line?

You know, a lot of, you know, how do you report as a CISO? Are you reporting up through the CIO? Are you reporting up through the chief security officer who also has physical security? Are you, is there a direct line of report? Even if there's not a direct line of report in terms of like your org structure, is there at least an opportunity for you to give some sort of feedback to executive leadership and or the board, at least on an annual basis? And if you have that opportunity, then you need to use that opportunity to talk through.

Preferably verbally, but to talk through these are the risks that we see this is the area that we need to improve so that again You you have at least disclosed the issues that are there But you're not putting things in writing that can be problematic for you in the future

Becky Bracken:

Excellent advice. Ben, what do you think? What are some practical advice that you would give specifically from an internal perspective as well?

Ben Lee:

Well, just to kind of carry forward with Beth, I agree completely with everything Beth said. You're used to, I think, as a typical CISO interacting with certain parts of the legal team. There are other parts of the legal team that are now your friends also. And you didn't even realize they were there. The corporate attorneys are constantly making the materiality determination on everything else. They're always out there.  You just don't see them, now suddenly they're also your friends. You need to know who they are and in some sense, you usually know who they are because they're who gets you access to the board sometimes, but now you really need to know them and you need to help them understand what they should 8K and what they shouldn't. And that's something that you'll get from that sort of interaction.

Becky Bracken:

Oh, sorry, we brought last year for just a sec. Sure, Beth, you wanna pick up on that?

Beth Burgin Waller:

Yeah, I wanna pick up on one little tidbit on this too, and that is I'm seeing a lot of companies also, we're talking about materiality as if it's in a separate weird bubble off to the side. I will say that I'm seeing a lot of publicly traded companies come through and also look at their incident response plan and then start addressing how are we gonna deal with this materiality determination in the incident response planning itself, right? And what we're also seeing though is that it's not necessarily the incident response team or the CISO that's making that determination. What we're seeing now is like, subgroups or working groups that are gonna be set up kind of simultaneous or running in parallel to incident response teams to address this materiality concern. Because as Ben said, this isn't new in a lot of ways. It's just the four day requirement is what has added a little pep to our step, right? We always had an obligation to have to disclose something that was material. And that term material has a whole body of law as Ben has indicated, especially related to financial statements and things of that nature.

That stands behind us. So we're not reinventing the wheel, but we are having to think about it on a really, really, really fast timeline on the rocket ship of an incident. And we need to be mindful of that. So my, again, in terms of recommendations on how CISOs can protect themselves, make sure the incident response plan is really also addressing this risk. So it's not on your shoulders, you're not at -loss alone, and that the company that you're in really is having a conversation about how are we gonna address this risk going forward.

Becky Bracken:

Flee, what about you? What practical advice could you share for her?

Fredrick "Flee" Lee:

Yeah. Yeah. I want to plus one what Ben said, especially about, hey, CISOs make some new friends inside your company or become better friends with some of your friends inside the company. And in particular, just as Ben said, there are people that we don't normally interact with that often that will be especially useful now. And some of these are scenarios where we probably should have always been interacting. Like, you know, we talk about things like materiality. Unfortunately, not all CISOs are familiar with that.

But it is something that is useful. So you think about, yay, your enterprise risk management, et cetera. When you're working with ERMs, knowing the materiality, essentially that number or that range of numbers is super useful for actually helping you think about the impact of certain losses and risk, et cetera. So that's actually kind of like one thing that I do want to heavily plus one there. Hey, go and get a deeper understanding with your friends and... You know, your corporate council, as well as some of your friends in, you know, internal audit, who also have a lot to do with, you know, thinking about materiality. Um, the other thing that I advise CISOs is do actual deep dives with people on your board and some of the other senior leaders. Um, I think oftentimes we kind of show up at the board and kind of like do a massive spray and pray of material and then kind of like, you leave it at that and leave the board interaction at just the board meetings.

It is useful to actually talk and interact with your board outside of that. And I know a lot of my peers are already comfortable with this, but especially maybe some people that are newer to the CISO role or aspire to be the CISO role, you can talk to your board members outside of board meetings. And that's a useful time to actually help them get up to speed so they can actually better understand. Because sometimes when they are not as supportive as maybe a CISO would like, it's not because of a lack of desire, it's actually from a lack of full education. And so if you can actually sit down with them, say like, hey, here's, here's what I think some of our biggest problems are at my company. Here's how we're resourced, actually kind of deal with that. Here's some of those gaps and resourcing and what could occur, you know, related on where we actually have made some investments that gives them a better understanding so that they can give you and the company better advice and guidance during those actual official board meetings. And the same thing for your other C -level executives, give them actual deep, walkthroughs and entertain all of the curiosity. One of things that I like to do is invite people like Ben to our team offsites. Say, hey, come and see what we're working on. And part of that is if we can be better and more transparent inside of our company, that's going to help us be more transparent outside the company as well to help us meet some of those SEC obligations. That transparency also helps build that trust that you need from your other execs and peers and the board to help you get the funding that you think you need to tackle some of the problems that may be making you more concerned about the SEC guidance. So this is a really long -winded, Southerner way of saying make friends and talk to more people. Because I really do think that's actually kind of at the heart of what's going to help people be more successful with this new regulation coming.

Kelly Jackson Higgins:

Ha ha!

Beth Burgin Waller:

I just want to jump in to say, kind of echo what Flea and Ben have said, but also say one thing I'm seeing from boards and companies I represent is after these SEC disclosures requirements have come out, you're seeing more board activity reaching back out to the CISO or reaching back out down to management to say, talk to us about this. So I think that's a really positive thing. We're also seeing boards start to engage directly with outside vendors on this topic and want direct board advice, be it council or otherwise on.

Beth Burgin Waller:

What are things that the board needs to do from an education standpoint to understand cybersecurity risk? So I think CISOs need to understand that there is likely a very captive audience on the board that is wanting to hear about how do we address this risk. And so I think working together hand in hand with in -house counsel, with Chief Legal to go to the board to have these conversations, it's gonna be a welcome audience.

Becky Bracken:

And Kelly, in addition to educating the board, the way forward that everyone is pretty much advocating on this panel and elsewhere is getting feedback to the SEC to help them become better regulators. How are we going to do that?

Kelly Jackson Higgins:

How do we make friends with the SEC? That is the question. Yeah, I think that's a great way to tie this up because I think I step back and just have maybe start with Flee. If there's just like one thing you wish you could tell the SEC and other regulators about what this current atmosphere is like for you and other recisos right now. Like, so they understand better where you're coming from. Obviously, they know what they want in terms of disclosure, which we get. That's a financial thing. We know all their...all their position there, but like, so they could understand your role more. What would that be? What would you want to communicate to them?

Fredrick "Flee" Lee:

Yeah, the if only had one thing that I could ask for the SEC, because I would love to ask them probably 100. It would actually be for them to hire more former practitioners and to make those former practitioners deep subject matter experts in cyber regulations and make them available to external entities like, hey, the people are to be subjected to it. Hey, I'm, I want to chat with somebody at the SEC, help me understand this a little bit better. And if it's somebody who's a former practitioner that makes it easier, because I can actually speak in my language and they can understand what I'm saying. And they have that empathy and context as somebody who was a former CISO to say, oh no, Flee, I totally get what you're going through. No, you need to do it this way. And then this is actually really what the intention of the law was. And if you are operating in this fashion, you'll be okay. And I think that will also give a lot more confidence from CISOs that are actually practicing to know that the SEC has some former CISOs and former security practitioners directly involved in shaping this, directly involved in evaluating it, and directly involved in actually helping and answering questions.

Kelly Jackson Higgins:

Ben, would you advise Flee to ask that question to the SEC? What would your question be?

Ben Lee:

No, I mean, I so look like I feel like my my conversations at prior places with SEC and with former SEC have been, you know, wonderfully constructive. But the I think the thing I would kind of like emphasize is that often like when we're talking about any new form of regulation like Starbucks or any of these things.

It's not just the SEC talking to industry, it's industry talking to each other and the SEC. In other words, it's often a lot of the color that we get is from industry talking amongst itself to figure out like, how do we kind of best make the rest of the universe understand what works for businesses and what doesn't and all that. So in other words, they're often kind of sparking that type of conversation. And ironically, I think that's exactly what they're trying to do here too. I mean, I'm going to try not to get soapboxy, but like one of the incidents that I was like involved in, like stemmed from a vulnerability that affected a very large big tech company. I'm not going to name the company, but ultimately they did not disclose.

They did not disclose that they had been badly breached. And because of that, that impacted all of the rest of us. We got breached one after another and it was a nation state attack. Yes. But they sat on it. And the reality of it is, is that in a prior universe, does that constitute securities fraud? No, technically being silent on a bad thing is technically not securities fraud. Again, that's not legal advice. It can be bad practice for purposes of like, and it can harm the rest of the ecosystem. And so there are these things that we have like RSA and other where we share amongst each other what we're seeing. We share like what we, and in some sense, I'd like to think that that's what we're trying to strive for is sharing amongst each other and with the public in a way that we get better at this, not worse.

Kelly Jackson Higgins:

That makes so much sense. And the tricky part is how do you do that, right? How do you construct that sort of communication in a legal and useful way? Beth, do you have some thoughts on that to kind of tie it up here from what you're seeing with your clients?

Beth Burgin Waller:

I mean, I was just really keep in mind again that we're the victim of a crime on a rocket ship, right? And we are blasting forward really rapidly trying to do the best that we can after we've gone through something catastrophic in most instances. And so, I think that the key is to remember that and to keep that in mind from all perspectives. And...And it goes back to some of the things that Flee has said, just from a human, there's a human element here, right? It's a very stressful experience for everybody. And so be thoughtful about that, but then also, again, from a legal standpoint, be thoughtful about what it is that we capture and how we say what we say, because it can and potentially will be used against us in some later proceeding.

Becky Bracken:

Well, that concludes our panel for our first episode of Dark Reading Confidential. Frederick, Flee Lee, Ben Lee, Beth Waller, we are so grateful for your time, for your deep expertise. I know that our audience is as well. So thank you all so very much for your time today. We also have a little bit of commentary. Our Managing Editor of Copy Desk and Commentary, Jim Donahue, combs through submissions, oceans it seems like of submissions that we get and he has handpicked a couple of excerpts that are on this topic that he thought might be relevant. Jim, take it away.

Jim Donahue:

Thanks, Becky. Hello, everyone. I'm Jim Donahue. And today I'm going to share some excerpts from two recent columns by industry leaders. The first describes a new approach to SEC disclosures from Tom Tovar, the CEO and co -creator of AppDome. He's a former securities lawyer who spent his fair share of time dealing with the SEC. In an article from April 25th, Tovar proposes the creation of what he calls a remediation safe harbor. He writes, "I was surprised to read in one of the amicus briefs in the SolarWinds case that CISOs are not typically responsible for drafting or approving public disclosures. Maybe they should be, but I want to propose something different, a remediation safe harbor for cybersecurity risks and incidents.

A remediation safe harbor would allow companies the full four day timeframe to evaluate and respond to the incident. Then if remediated, take the time to disclose the incident properly. The other benefit of this remediate first approach is that there will be more emphasis on cyber response and less impact to a company's public stock. The question of how, when and where we disclose cybersecurity incidents is going to be a big one for all cyber professionals. For my part, I think the CSO should control or at least approve the company's disclosures when cybersecurity incidents arise. If we can encourage the SEC to embrace a remediate first mindset, we just might open the door to better cybersecurity disclosure for everyone."

Again, that was an excerpt from a commentary article by Apdom's Tom Tovar published by Dark Reading on April 25th titled, SolarWinds 2024. Where do cyber disclosures go from here? And you can read the full article at darkreading .com.

I'd also like to read a section of a column by Mark Bowling, Chief Information Security and Risk Officer for ExtraHop. He writes, "when CISOs are hired, they're often described as being responsible for implementing effective security, information security, and risk management frameworks at their organizations.

But in light of the SEC charges against the SolarWinds CSO, some might say the CSO job description should include Fall Guy in the face of a cyber incident. Often, CSOs are removed from the finer points of cybersecurity operations. At a very high level, they advocate for and push forward the organization's cybersecurity agenda, but they cannot simply provide final sign -off on large decisions.

They must stay informed on the threat landscape and continually collaborate with individual security teams within their organization. As the overseer for implementing effective security, that really means the CSO needs to be involved every step of the way. No stone should be left unturned and no vulnerability should be a matter of oversight." That's from The CSO Role Undergoes a Major Evolution, by ExtraHops' Mark Bowling. And the whole column can be found on darkreading .com.

So do you have a column idea you'd like to pitch? You can send it to [email protected] for us to consider, and please let us know what your cybersecurity background is. Thanks for listening. I'm Jim Donahue, and I'll see you for our next episode of Dark Reading Confidential with more commentary from inside the cyber trenches. Becky, back over to you.

Becky Bracken:

Okay everybody, we did it. Kelly, we did it. That was our first episode. What do think?

Kelly Jackson Higgins:

I learned a lot, again, after talking to you all. So thank you so much for bearing with us as we go through this a little bit. We had some technical difficulties and we had our just getting our nerves out. But that was a great conversation.

Beth:

Hahaha.

Becky:

Thank you all. We're very lucky to have had all of you participate. And that's it. So on behalf of Dark Reading Confidential and all of our guests, I'm Becky Bracken. Thank you for listening. We will see you for our next episode in June. We'll talk soon.

Kelly:

Thank you.

Fredrick "Flee" Lee:

Woohoo!

Read more about:

CISO Corner

About the Author

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights