On 31 October 2023, the SEC announced charges against SolarWinds and its CISO for fraud and internal control failures relating to alleged known cybersecurity risks and vulnerabilities.
The Modern CISO's Role in Aligning Security Programs to Threats
Recent SEC requirements and indictments indicate, CISOs need the ability to prove and document they are addressing known cyber threats, not just risk.
The impact of these actions, as well as the subsequent extension of whistleblower protection to cybersecurity puts immense pressure on the modern Chief Information Security Officer (CISO), Chief Security Officer (CSO) and Business Information Security Officer (BISO) to execute a well-reasoned, defendable, and documented cybersecurity program.
Read about the Impact to CISOsRecent SEC Cyber Enforcement Actions
Solarwinds Ruling & Charges
- The announcement accuses SolarWinds of making an incomplete disclosure about the SUNBURST attack that took place on December 14, 2020.
- The CISO was directly charged with defrauding investors by overstating SolarWinds’s cybersecurity practices and understating or failing to disclose known risks.
SEC Reporting Requirements
On 26 July 2023, the SEC adopted rules requiring publicly traded companies to disclose material breaches of any cybersecurity incident. But more importantly, it also requires Regulation S-K item 106, to describe their processes for assessing, identifying, and managing material risks from cybersecurity threats including requiring:
- Registrants to describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents.
- Registrants to describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats.
Next Steps for the Modern CISO
Shifting to a Proactive Security Strategy to Assess, Identify and Manage Threats
Being able to access cyber defense readiness means an organization has to be able to understand what they have in their security ecosystem and their tool stack and how the security stack allows them to respond to specific threats or vulnerabilities.
It is imperative that the modern CISO knows their security team must have the evidence to focus on the threats that matter most to them, i.e., creating an empirical understanding of the threats that are targeting them, instead of attempting to understand all threats.
How Interpres Can Help Build Confidence In Your Cybersecurity Program
CISOs need to be able to demonstrate and attest to the confidence of their cybersecurity program separately, and distinctly from other business risks.
We understand that automating continuous monitoring is key… Relying on data from a point in time assessment is guaranteed to fail you.
The Interpres Threat Exposure Management platform, leverages the solutions you already own, continuously measures the relationship between the threats that are targeting you, the exploitable vulnerabilities in your systems and your defensive controls to provide near-real time awareness of your ability to detect and mitigate the threats most likely targeting your organization.
Interpres arms the modern CISO with the capability to automatically assess, identify and manage threat exposure that defines as a well-reasoned and defendable cybersecurity program so you can:
Quickly determine cyber readiness through automation and analysis of defensive controls, assets, adversarial threats and vulnerabilities most likely targeting their organization.
Streamline the analysis of defense surface tooling to comprehensively evaluate capabilities and optimize security posture in the areas of threat mitigation, visibility, and detection.
Identify and prioritize exploitable vulnerabilities being leveraged by adversaries that target like-kind organizations.
Identify those technologies and capabilities in your environment that do not provide value against the threats targeting you.
See Interpres in Action
Discover how you can reduce your time to assess capabilities from weeks to minutes.
Get A Demo