In this episode of Redefining CyberSecurity Podcast, host Sean Martin connects with Matthew Rosenquist to discuss the SEC notification ruling, transparency in cybersecurity, and the impact on public companies and shareholders.
Guest: Matthew Rosenquist, CISO at Eclipz.io
On LinkedIn | https://www.linkedin.com/in/matthewrosenquist/
On Twitter | https://twitter.com/Matt_Rosenquist
On Medium | https://matthew-rosenquist.medium.com/
____________________________
Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin
____________________________
This Episode’s Sponsors
Imperva | https://itspm.ag/imperva277117988
Pentera | https://itspm.ag/penteri67a
___________________________
Episode Notes
In this thought-provoking episode of the Redefining CyberSecurity Podcast on the ITSPmagazine Podcast Network, host Sean Martin connects with Matthew Rosenquist to engage in a discussion about the recent SEC notification ruling. They explore the importance of transparency and accountability in cybersecurity for public companies as they dig into topics such as the need for transparency in security posture, the impact on shareholders and potential investors, and the role of privacy regulations in raising the security posture of industries like healthcare. They emphasize the value of notification and the balance between providing timely information to shareholders and avoiding potential lawsuits.
The conversation highlights the ethical implications of concealing information and the changing role of legal counsel in incident response. They discuss the potential emergence of whistleblowers to expose non-compliant companies and the impact of fines and penalties. They also touch on how transparency can drive accountability and impact business partners, vendors, and suppliers.
Recognizing the challenges faced by companies in operationalizing security and stress the importance of continuous monitoring and evaluation of cybersecurity measures, the episode discusses the potential for companies to face lawsuits and the role of the board in overseeing cybersecurity controls.
Overall, this episode offers valuable insights into the SEC notification ruling, providing listeners with a deeper understanding of its implications for cybersecurity, transparency, and accountability in public companies.
____________________________
Watch this and other videos on ITSPmagazine's YouTube Channel
Redefining CyberSecurity Podcast with Sean Martin, CISSP playlist:
📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq
ITSPmagazine YouTube Channel:
📺 https://www.youtube.com/@itspmagazine
Be sure to share and subscribe!
____________________________
Resources
SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies: https://www.sec.gov/news/press-release/2023-139
Matthew's post on LinkedIn: https://www.linkedin.com/posts/matthewrosenquist_clorox-says-last-months-cyberattack-is-still-activity-7109565860331065344-yRec/
____________________________
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-cybersecurity-podcast
Are you interested in sponsoring an ITSPmagazine Channel?
👉 https://www.itspmagazine.com/sponsor-the-itspmagazine-podcast-network
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
[00:00:00] Sean Martin: And here we are. This is Sean Martin, host of the Redefining CyberSecurity ITSP Magazine Podcast Network. You're very welcome to a new episode where I attempt to help folks think differently about how to operationalize security in the organization, but to just protect... Systems and assets and data, but also help generate and then protect the growth that they generate as well.
Not an easy task. I don't envy a lot of the folks that are sitting in seats as analysts and practitioners and certainly the security leaders who bear the brunt of a lot of the threats and attacks that come their way, but it's an important part of business. Society and humanity overall, especially as things get more digital.
Um, and today the topic is around, uh, the SEC notification. Cause if, if we don't know what's really happening, how can we. And share that perhaps, how do we know what's really going on? Um, so that we can learn from it. But I think the SEC with their new ruling has a different objective, uh, in line with protecting shareholders and, and, uh, protecting against insider trading and things like that, and who knows what else, and I'm the ignorant one today.
Well, every day, I think, but, uh, especially today, cause I haven't, haven't spent a lot of time digging into what is. All in the ruling and what people have to do and the chaos it's creating. That's why I brought Matthew Rosenquist on. He's going to, he's going to be the knowledgeable one here. Um, even if it's just a matter of helping us understand what people are questioning and understanding what people are thinking and hopefully getting us all to think differently about what to do now that this, this rule is in place.
So Matthew, good to have you on.
[00:01:53] Matthew Rosenquist: Pleasure to be here, as always.
[00:01:55] Sean Martin: Yes, and my, my, my nice long rant. Hopefully people know how to skip through my BS at the beginning here. This is an important topic and I know it's important, but I don't know much about it. And that's what we're going to talk about. But before we do, people have seen you on the show many times, but just a quick recap of what you're up to these days.
And, and, uh. Yeah, I think maybe, maybe a quick word of why you think this is important.
[00:02:23] Matthew Rosenquist: I'll just be sure. Um, so I'm Matthew Rosenquist. Uh, I'm a CISO. I've been a cybersecurity strategist. I've been in the industry doing security for 34 years, something like that. And I love it. I have a passion for it. So I get the opportunity to do keynotes and speak and, and talk about the future of cybersecurity, the threats and the risks and all that kind of cool stuff.
And one of the important things around this industry is around regulations. It's kind of the hard and fast, um, you know, guardrails that you're not supposed to go beyond. So it sets a minimum bar for industries, sectors, organizations, things of that sort. And what you had mentioned with the SEC ruling is kind of a watershed moment where we've seen this ruling that puts down guidelines, not guidelines, requirements for any publicly traded company.
So if you're a private company, you know, you don't have to necessarily worry about this, but it even influences You because if public sentiment and expectations are in alignment with what the public companies do are doing, there may be some ramifications and kind of setting the same expectations for your company.
And it may come very similar with a private funding. Private funding may want something similar from your organization. So these kinds of rulings. Are important.
[00:03:47] Sean Martin: Are important. And my mind's already going a mile a minute. I was just thinking, well, third party relationships. I don't know, we'll probably get into that.
But anyway, um, you started to touch on it, but let's, let's provide an overview of what this means. There's some specific language and, and actions that organizations regulated.
[00:04:10] Matthew Rosenquist: Yeah. So, and, and this is all public. You can go out and take a look at the exact wording and everybody's kind of talking about it.
There's a lot of buzz about this and we're seeing some of the notifications come out right now. Uh, but basically what the SEC is saying is there needs to be a new level of transparency. And so there are certain requirements for public companies. If they have a material. Breach or a material incident.
And that's the way they're phrasing it needs to be material. And this is not unusual, right? Companies report material things in quarterly earnings reports and so on and so forth to investors. So if there's a cybersecurity incident, that's material. They have to report it within four days. And so there's some controversy around that.
There's controversy around, well, what's material and why four days? Um, there's also another requirement in there that these public companies need to outline what kind of cybersecurity control Over overarching kind of strategy and kind of control that the board has access to, right? So is the board aware of the security controls and has some say in it, or are they completely blind?
And the idea there is. That will help drive companies not wanting to say, Hey, we're blind. We don't know, um, to be able to say, Oh no, we do. We've got a formal program. We have a CISO, we get regular reports. And, and maybe even we've got certain people on the board that have security savvy or something. Um, there's no requirement for that.
That was pulled out of this latest version, but it gives the opportunity for the company to showcase that. Yes, the board is. So you got two things, transparency and accountability. Transparency for material events and accountability to say, yes, this is in the senior levels, including the board. They are aware of it.
This is part of their umbrella.
[00:06:22] Sean Martin: Oh boy, I could take this so many directions. The one that's been top of mind was, I would imagine the board of directors and the executive leadership team that That comes on now has responsibility and asked to actually claim it.
[00:06:41] Matthew Rosenquist: Yes.
[00:06:42] Sean Martin: Contracts for employment are probably going to look very different these days as well.
[00:06:48] Matthew Rosenquist: Yeah. Well, unfortunately, cyber attacks, um, can't have material impacts, which means it can impact investor, uh, sentiment and what they're willing to put in or take out. So it is kind of important. It is now becoming a board level.
As you mentioned, as we all kind of embrace digital technology, we rely on it more. And if somebody is disrupting that or manipulating that even worse, that can cause severe issues. And we've seen, you know, companies crater before we've had companies have their CEO fired and, and other executives, uh, boards change up because of incidents and incidents that weren't handled appropriately.
Uh, We need to make sure, and the SEC is very clear on this, that because of those dependencies, there does need to be clear accountability and that has to tie to the board, these level of issues. So yes, if it's a material issue and you got to report it and you have to tell what kind of structure, uh, give some assurances that there is.
Cybersecurity oversight at the board level, even if it didn't work. Yeah, you know what? You know what? Let me interject here. Cybersecurity is not binary. It's not you're completely impervious or you're completely vulnerable to everything. There is a range. Right. And we have to decide what that optimal place is on that range.
And there's trade offs, there's costs, there's friction to users and employees and partners. There's all sorts of, sorts of things that we have to factor into that calculus. So it's not one end or the other, it's finding a range and that kind of decision should have some visibility at the board level, if not kind of the overarching control over it, even if.
They don't deal with the minutia.
[00:08:46] Sean Martin: So I know we're talking about notification. We didn't, we didn't get into, I kind of alluded to it, but the whole, I guess the main point is to protect the shareholders, which I'll describe that in a second, but I guess by notifying, well, I'm going to actually talk to me about what does notification mean?
What does it include? Who sees it? Cause then that'll lead me to my next question, which I think.
[00:09:14] Matthew Rosenquist: Okay. The way it's supposed to work is if there is a cyber incident. Right. Then the companies as part of their crisis response planning should determine, uh, is this going to be material? Is this something that could move the needle on our investors, right?
And companies already have materiality guidelines because they have to report that if you're a public company. If you're a private company, you don't have to talk about anything. Right. But the SEC governs public companies and it does it because it wants to protect investors. If investors are well informed, they can make informed decisions.
If they aren't informed, but let's say a small group of employees or shareholders, something are. They may make trades and take advantage of opportunities. So the only way to fix that is to make sure everything is open. And now we have an even playing field. And when it comes to cybersecurity, if you have a ransomware attack and your internal systems are down, there's going to be a lot of employees and maybe even vendors, third party suppliers that know you're impacted.
This might bring you down. You might, this might be day number 15, right? That systems are down. And if they're shareholders, they may act on that information, that inside information, because if the public doesn't know, they'll think everything's fine. So to alleviate that, right, SEC says, no, if something happens and you determine, determine that it's a material incident, you got to report it within four days.
That goes to the SEC with the, and that's going to go out to everybody. The shareholders need to know so that they can make good investment decisions and they're not running blind and they're not at a disadvantage compared to those who do have the insider information. So it's about transparency when we're talking about reporting.
Now, what needs to be reported is. What is going on, right? Was it a data breach? Is your systems down? There's no Specification that says, hey, you have to say exactly Um, what vulnerability was exploited or what piece of malware? No, no Again, the intention is
[00:11:32] Sean Martin: a lot of the hype and freak.
[00:11:34] Matthew Rosenquist: Yeah, yeah, no, you don't have to, you know, lift up the kimono or expose anything that, that, that would help further, you know, the attack, but you do have to let the stockholders know what, you know, and you know, the reality is you may not know everything at four days.
In fact, I guarantee you're not going to know everything. There's no expectation. You will know everything and you can attribute exactly who did what, when and how. No. But that isn't the point. The point is to provide enough information that the shareholders have a good understanding and they can make a good business decision regarding their investments in your company.
And it's, it's not fun, right? Um, you know, nobody wants to report, hey, we were breached or hey, we had a ransomware attack or hey, our, um, you know, customers can't get into their hotel rooms. Nobody wants to see that. The last point.
Manufacturing lines are down. Who knows? There could be lots of things. The
[00:12:33] Sean Martin: first few points you made, I think that's that part of it. Slight tangent here, but the fact that we don't want to talk about being breached I think is a big part of it. It's probably why this is happening as well. But uh, yeah, if I, I don't want my my customers not, not to be able to access their hotel room.
That I care about, I want to talk about, but we should also want to talk about the source and the reason behind it. Um, so the, the, the thing I was thinking is, well, I guess who, who sees this information?
[00:13:10] Matthew Rosenquist: Well, it's got to go to the public, right? Because the shareholders, it's
[00:13:15] Sean Martin: It's the public and
[00:13:16] Matthew Rosenquist: you determine it.
And once a shareholder knows, there's nothing holding them back. They don't have an NDA. It's on Twitter or X or whatever social platform you're on.
[00:13:26] Sean Martin: I'm about to press, uh,
[00:13:28] Matthew Rosenquist: order, right? Reply to world. Yes.
[00:13:32] Sean Martin: I'm about to hit trade on that, uh, on that buy. So I guess I'm a potential shareholder as well. You're a potential shareholder.
The public needs to know. So the question I wanted to have, and this, this may not. I may be blowing this up. I may be one of the, uh, the freak outers talking, uh, sharing something that doesn't really matter. But I, I get the point of it that we want the shareholders to be aware and.
We want them to make good decisions based on the information that we have handy. Does that not mean we should have a more transparency in our security posture? Cause, cause once the, once the breach has occurred, once the material incident has taken place.
I don't know. It's too late to make a decision on what
but if I, but if I know, I mean, I can, I can look in to see where companies are hiring people, where they have offices. If I don't like what they're doing from a social perspective, if they're at risk from, from geopolitical issues. Right. I, I'd equally want to know before, before a strike that, uh, that, that they're at risk from cyber, I guess, I guess the point is that that's, yeah, I was just gonna say,
[00:14:56] Matthew Rosenquist: you know, and part of this transparency, it is a forcing function to move the needle. In the industry, right? Okay. So a question, how many companies have had a breach that didn't report it? Um, we'll probably never know, but now that we have the rules and nobody wants to mess with the SEC, I'll tell you that right now, no public company really wants to mess with the SEC.
Um, now we're going to find out, we're going to find out who has been breached and it was material, not, Oh, once the one person's laptop went down. Right. Uh, no. When it's significant. issue happens, it's not going to be hidden. It can't be. That's going to fundamentally change them, which brings more of a spotlight to accountability.
Transparency feeds into accountability. Because if your shareholders start seeing you have a lot of breaches and you're not investing in cybersecurity, they may be abandoning your stock. Uh, your business partners. Vendors, suppliers may not really want you to be their supplier, may not want you to have their data, their sensitive data, right?
Again, that level of transparency will drive accountability and there are serious business considerations to take into account. Now, there are some companies that are already, you know, very forthright. When something happens, they're out and they're letting their customers know, Hey, heads up, something's going on.
We see potential data breach. We see something. We don't have all the details yet, but we want you to know heads up and we're working it. That's awesome. And this kind of regulation just evens the playing field. Right? Among the companies that are going, Hey, we're not going to tell our customers that we lost our data.
We're not going to do that unless we absolutely positively have to. And it'll be after nine months of doing an investigation, giving the attackers nine months to abuse our customers. And by then, who knows, maybe other companies have had their data breached of that customer and the customer won't really know.
Was it us? Was it some other breach? I don't know. Indecision is good. Right? So again, accountability. Transparency leads to accountability and many companies aren't happy though, for obvious reasons. What's
[00:17:23] Sean Martin: um, I'm interested in your perspective on this because notification is not new. We can, we can look all the way back to HIPAA, the Office of Civil Rights, OCR.
And many times I've looked at that database to see how many companies, how many total records. Companies operating in the healthcare space with a formal agreement with, with, uh, either, either a proprietor or a formal agreement with a provider, I think is what it is. And, I don't know. Your perspective. Have we seen, I think we've seen tools and frameworks help companies large and small kind of find the path to implement controls to avoid.
Um, but so I don't know. Do you feel that that has helped the healthcare industry become? More secure, raise the posture, not just the notification.
[00:18:27] Matthew Rosenquist: Yeah. The privacy regulations have had a major impact. Uh, in fact, you try and do business with somebody in the EU, right? GDPR is going to be part of the discussion.
Uh, so it can fundamentally change the architecture of your services that you offer, offer where you have data, where it's being processed, where it's being shared, and if it gets away from you, if you're not following the rules. You may have a major impact in fines, penalties. Um, you may not be able to do business in those environments anymore.
So there's lots of, lots of things that can, as a forcing function, mandate the maturity level, right, go up within a company. And it's great that, okay, if a company loses my PII or PHI, personal information or personal health information, right? Um, That if it meets certain criteria, right? So many records were lost and there were certain fields, but not other fields or some combination of fields, they may have to send me a letter.
There's no requirement for the stockholders to know. And there's not much of a requirement for them to know in a timely manner. When an incident like that happens, the employees Right? Are going to know something's up and many of them will be very aware. They can start dumping the stock. I mean, seriously.
Oh, hey, look, my server is, is locked. It's, you know, encrypted. I can see the ransomware notice there. You know what? Let me go make a quick trade. I bet we're going to feel this at some point. Great. The employee has that advantage. What about the shareholder? So this is again, it's really about protecting the shareholder and making sure that it's equitable, right?
They have the same information as everyone else.
[00:20:23] Sean Martin: So that makes me question is four days too long.
[00:20:28] Matthew Rosenquist: Everybody decries that's too soon. That's too soon.
[00:20:33] Sean Martin: I think if, if you are running a company with any level of ethics and, and scruples, you want to do the right thing, even if it's not, um, not comfortable,
[00:20:48] Matthew Rosenquist: I guess is the right way to put it. Comfortable. I like that. I thought you were going to say profitable, but yeah, let's go with comfortable.
[00:20:55] Sean Martin: More profit means more comfort. But, uh, yeah.
[00:20:57] Matthew Rosenquist: Okay.
[00:20:59] Sean Martin: But, uh, yeah, I would think that even for, I mean, we see, and this is where maybe some of the, I don't want to, I don't want to tell a lot of myself because people will, will sue me. If an organization gets popped, there could be class and we've seen a class action suit.
So if, if somebody notifies within the four day period, yet the stock takes a tumble because people traded in on the second or third day, we're still going to potentially see. People not very happy anyway.
[00:21:34] Matthew Rosenquist: Yeah. There's going to be lawsuits either way. Yeah. Um, you know, and lawsuits typically are a result of a claim of neglect.
You know, you didn't meet your fiduciary duty as a board member. There was some neglect or something within the structure of your system. And that, again, in of itself is a forcing function to make sure that board members do align to their fiduciary duty. And if you didn't have that risk... Hey, board members, you can't be sued for anything.
Oh, really? All right. So, you know, yeah, the lawsuits are not fun and they tie up the cord and there's all sorts of bad things, but again, it puts tension in the system to make sure people should be doing what they're doing. But if you're concealing information, well, then there's a lot less chance of a lawsuit coming out, right?
Well, wait a second. You're concealing things. Why would you change? If there's no fear of repercussions. Why would you do something like actually invest in your security program? Right? Uh, build a more secure product. Uh, make sure you have the ability to detect and recover very efficiently for minimal impact.
There's no reason to. So this again helps that overall maturity come back up. And those four days, it, it is tough. So, um, I was head of a crisis team, uh, you know, for Intel when, when I worked there, so I was the first incident commander of the company. So four days doesn't seem like a lot to many people, but the reality is you don't have to have all the details.
In that four day window, you just really need to understand. Hey, is this material? And in many cases, you may see some dominoes falling, right? We've got one factory down out of 50. Well, okay. That's really not material, right? We have normally one down anyway for maintenance, but it looks like the next three are going to fall here soon.
Okay, it's pretty easy to make those kinds of calls. You may not be right 100%, but you need to be able to show good faith, which means you need documentation. And if you're challenged by the SCC, you need to go, Hey, here's my meeting minutes. This is exactly what we went through, and this is the moment we decided it was material.
And they may look at it and go, yeah, that makes sense. Or they may look at it and go, wait a second, you saw the other three, you know, factories hit that yellow light and you knew they were going to fall and you waited until they went red. Nah, no, we're, we're, we're going to start the clock back here. Right.
We're going to play some rationality games with you and we're going to hold you accountable. Okay. That's what this is about. So you don't have to have all the details at four days. You don't. You just need to know whether it's material. Therefore your shareholders, they need to be informed.
[00:24:33] Sean Martin: So I've heard over the years that a lot of organizations use a Use legal counsel as their first point of incident response.
Yes. So they can have client privilege there. Um, any, any impact on that?
[00:24:56] Matthew Rosenquist: Um, well, if you're not complying with SEC regulations, you are breaking the law. And confidentiality with your attorney, with the intent of concealing a crime, not a bond. The SEC is not going to take very kindly to that at all. And I assume your shareholders are not going to take very kindly to any management or board that is pursuing that.
In fact, that's kind of in conflict of your fiduciary duty as a board member to allow These kinds of things to happen. So it's not a perfect system. It is not, but, um, there are a lot of inherent checks and balances, especially when we talk about cyber security, because again, a lot of those become very noticeable to more than just one or two people within an organization.
Right. So because of that. There are all sorts of other potential challengers. We may see very shortly whistleblowers when a company doesn't come out within four days. You may see a whistleblower turn around and go, Hey, SEC, by the way, my company is not acting ethically. They're breaking your rules. And so when you find them, I'll take, I think it's 25%.
If I remember right whistleblowers, I think at 25 percent of the fine. So when you find my company, you know, 10 million, yeah, I'll take my cut. I'll, I'll take that 25 percent off the top. I think you still get taxed on it. I'm not sure. I asked your financial advisor, but there are now financial incentives that will again.
And, and as you said, generally speaking, people want to do the right thing, right? This simply helps define what is the right thing without this ruling. Somebody can go, well, you know, I kept it concealed cause I thought it would be the right thing. We had, you know, Uber, uh, we had his, the CISO over there, former CISO over there almost go to jail.
And you know, his claim was, Oh, well, I was trying to do the right thing. Okay. So now we have rules that clearly show that is not the right thing. So let's take some of that ambiguity out of the picture here and here's some new jewelry to wear, you know, um, in, in your 10 by 10 cell. So again. We're just simply clarifying and, and moving the industry to be more mature.
The one thing I don't want to happen is for people to go, Oh, well, this is all I have to do. No, all the regulations, whether they're privacy or cybersecurity or anything else, that's like the bottom of the bottom. That's baseline. You know, if you want good security, you have to invest up from there. You have to go above and beyond.
And way, way up here is actually industry best practices. So regulations just raise all boats to a minimum heartbeat level, but if you want to perform, you have to invest hires in that.
[00:28:15] Sean Martin: I agree completely. What, um, I'll mention one cause I, I don't know the answer of course, cause I'm ignorant here. Is there, I notify, then there's an investigation.
Is that kind of the path or, or cause I, I don't know. I think SEC and I think SEC investigation. Something went wrong. I'm going to dig in and find out. Is that a, is that a freak out that is, well, what is the state of that? And is there other, if that's not a real thing, are there other areas where people are freaking out that are not real misconceptions?
[00:28:53] Matthew Rosenquist: Yeah. The SEC, I don't think as soon as you notify them is going to come kicking in your door and go, Oh, we're going to investigate you. Right. The SEC investigates for non compliance to SEC rules. So if they think at some point down the road, you didn't comply with SEC rules. Expect a knock at the door, right?
That may happen. Um, but if you're running an incident and you let them know in good faith and you're updating it, right? Because at day four, day three, you don't have a full picture. And day five, you're going to have more information. And day 10, you may go, Hey, we thought on this, on day three, it was a million records lost, but on day nine, it could have been 6 million exposed.
We're not sure we're still looking at it. Fine. You're communicating that. Okay. And maybe on day 20, we go, Woo. Hey, we looked into it and it was actually less than a million. It was only 500, 000. So now we're going to clarify that. Well, awesome. You're sharing pertinent information in good faith, right? I can't imagine, and I'm not the SEC, but I cannot imagine the SEC would come back and be angry with you and go, Oh, well you weren't compliant.
No, you, you were compliant and you continued in good faith. That's what they're looking for. Now, yeah, if you have a cyber incident, you should have an investigation running to figure out, you know, what's going on. And you're going to have to report much more detail in that quarterly report, because investors are going to ask you.
I guarantee you on that call, if you had an SEC report of a material finding, That needs to be in your quarterly report and there's going to be all sorts of premier shareholders that are going to have some very clear questions for you on your quarterly investor call. As they should, this is a good thing.
[00:30:41] Sean Martin: Absolutely. Um, I want to turn to, cause I mean, I, I could continue digging deep and going wide on this, but I want to, on the show, you know, I like to talk about how to operationalize stuff. So I guess
what,
what changes do we're talking public companies here? What changes do they need to. Consider making. So you mentioned early on, uh, the crisis management plan, so clearly this is a, an item, however big or small it is.
It's an item in there now, but, uh, we touched on stuff with the board. We executive leadership team, there's communications. I don't know what, what, what things have to be modified to really.
[00:31:29] Matthew Rosenquist: Well, you have to, to reorganize yourself to where you can meet those requirements. And I was talking to some board members the other day, and the question they had to me is, okay, when something happens.
Who do we call first? Who should be called when something potentially material in the cybersecurity world, right? Happens. Who should be that first person we use? Somebody calls. And I said, if you want to be efficient, right, you want to be effective. You want to make sure you're comprehensive and consistent over time and improve that first call.
Should go to your crisis team. Should go to your incident commander. You should have a crisis response team. Maybe they're dedicated. Maybe you don't need a dedicated one, but they're experienced. They have control. They have the tools. And more importantly, they have the repeatable processes. And if somebody calls that intake, and it could be the incident commander, it could be a call center, that route, they are going to follow a process.
They're going to pull off the shelf. Right. A hard copy more than likely of, okay, here's my process. And as part of that, they're going to do initial triage and troubleshooting. They're going to have a list of people to call based on what it is. A life safety situation involving cyber is going to be a little bit different than, you know, maybe an internal embezzlement, right?
Some, some money disappeared out of finance and they don't know where it went, right? So, but they will have, or should have a process to say, okay, how do I assemble my team? And that one of the people on that team will be a communications person and they will have their own process. Who do I communicate?
And when, what details do I share? You know, do I have to get ahold of the SEC? Do I have to get ahold of the FBI? Do I have to get ahold of the board? Do I have to get ahold of whomever, business partners, suppliers, vendors, whatever. But. All the sanitized communication will go through them. And legal, you'll have legal on your team, your legal person will be looking at those templates and making sure, yep, this is appropriate for what we're supposed to do.
Yes, the information has been properly vetted or redacted as need be. And yes, go ahead. But you build a good process. Nobody likes emergencies, but the team that has a solid process that's repeatable, that you can do a post mortem afterwards and go, yeah, Hey, it took six minutes to make this call. I bet we could shave that down to three minutes next time.
Yeah. Let's figure out how to do that. Right now you're continuously improving. I mean, hopefully you never have to use the process, but you should be testing it at least once a year. You should have clear roles and responsibilities. You should have somebody that oversees the update of that because people leave and move roles and new hires and all that, right?
But it's got to be a living, breathing process for incident response, for crisis management. And part of that is, is this material. If it is, we have a separate process we have to follow. And they act on it.
[00:34:53] Sean Martin: And so, as we're talking process, well I see, I can picture the book coming off the shelf. And flipping through the pages.
[00:35:02] Matthew Rosenquist: We do mandate a book, by the way. You have to have a book in case power goes out or internet goes down or whatever.
[00:35:09] Sean Martin: Exactly. But this is a point that may be, I don't know, interesting to me anyway because I'm a program manager. My heart, that's just how I operate. So a book is a process. There are things you need to do.
Um, it, it doesn't necessarily mean it looks like a Gantt chart.
[00:35:31] Matthew Rosenquist: There will be one of those in there, probably. There'll be every chart known to man, depending on how you organize it.
[00:35:37] Sean Martin: Cause when I'm, when I'm picturing the biggest change, there may be other triggers here, but the biggest change for me would be a work back schedule where you're not just starting and working forward.
You actually have an end point. Four days out that you need to work back from now to, uh, to accomplish certain things and know certain things in time for that particular moment.
[00:36:02] Matthew Rosenquist: Yeah. And that's your outside window. You probably want to shoot ahead a little bit, swing a little bit early. Um, and again, if you've got a great response process, you can go through that pretty quick.
You can, right. And the board's going to want to know, they're going to want to know fast. You know, if something happens, that actually helps your reporting and bringing in of the C suite and the board as needed. So they get a better understanding and feel of what's going on. So this can help their, um, you know, control of the situation.
And empowerment as well.
[00:36:41] Sean Martin: Perfect. Well, I think we've, uh, we've covered quite a bit here. I know there was a, there's a LinkedIn post talking about, are we exposing too much and then providing OSINT for bad actors, and I think there's a few other comments in there, I'll include a, I'll include a link to, to that post.
Cause I think there's some interesting points and discussion going on there. And, uh, yeah, I would encourage everybody to jump on that too. And of course, if you have. Thoughts or questions? Specific to Matthew and I, um, feel free to comment on social media and we'll, we'll engage there too. I don't know anything we didn't touch on that, uh, you think is like a burning point.
[00:37:27] Matthew Rosenquist: Well, I think now we're going to see more. We're going to see more of these companies come out, which I think is good, right? That's a transparency. Um, and there is concern about releasing too much information, right? OSINT, uh, to give away too much data, uh, or vulnerabilities or things like that. But again, this is the world that we live in.
We're security professionals. We are very, very conscious of that and we want to restrict that. And so it becomes a need to know exercise. And that's right up our alley. So yes, there's concerns if you, Oh, well, we have to release a vulnerable, exact vulnerability in the name of the system and the IP address.
No, no, no, no. Um, if you choose to do that, you're doing it at your own risk. And, you know, you should probably bring somebody with a security background in before you make that choice. But you know, this is what we deal with and we are just now forced to communicate that out to everyone. Bringing that transparency, which is uncomfortable.
It's uncomfortable. We will get used to it. Uncomfortable. And we'll all be better for it.
[00:38:35] Sean Martin: That's right. The discomfort of, of, uh, sharing, sharing, sharing is caring, but it can be this uncomfortable.
Uh, well, Matthew, it's always great to chat with you. And, um, so grateful you knew what you were talking about, allowed me to ask the silly, stupid questions.
[00:38:56] Matthew Rosenquist: It's all good. It's teamwork, my friend.
[00:38:58] Sean Martin: Maybe somebody else has the same question as me. I don't know. But, uh, I think the
[00:39:03] Matthew Rosenquist: only one.
[00:39:04] Sean Martin: No question, the insight you provided is super helpful. So, um, thank you for, uh, for taking this time with me as always and, uh, for everything you do for the team. For the community and, and for businesses all over the place. And thank you listeners for, for joining and, uh, and listening and watching if you're watching the video.
And, uh, I'm sure, we'll, I said I'll include the, the link to the LinkedIn post so you can, you can chew on that for a little bit. And anything else that Matthew thinks is important, of course I can share a link to. The actual ruling too, so look at the language that we've kind of touched on today. Um, yeah, so thanks for listening, watching, sharing, subscribing, and uh, most importantly, thinking.
See you on the next one.