In this episode of the Redefining CyberSecurity Podcast, host Sean Martin and guest Keyaan Williams discuss the SEC Incident Reporting Rule's potential impact on cyber security responsibility within organizations. They highlight the requirement for an enterprise-wide risk management strategy, timely determination of the materiality of security incidents, robust governance structures, and a team-based approach to handling cyber risks.
Guest: Keyaan Williams, Founder and Managing Director of CLASS-LLC [@_CLASSllc]
On LinkedIn | https://www.linkedin.com/in/keyaan/
____________________________
Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin
____________________________
This Episode’s Sponsors
Imperva | https://itspm.ag/imperva277117988
Devo | https://itspm.ag/itspdvweb
___________________________
Episode Notes
In this episode of the Redefining CyberSecurity Podcast, hosted by Sean Martin, we are joined by guest Keyaan Williams to discuss the impact of the Securities and Exchange Commission (SEC) Incident Reporting Rule on organizations and its far-reaching implications. The wide-ranging discussion covers the shift in responsibility from a single Chief Information Security Officer (CISO) to the entire organization, the necessity for companies to have situational awareness to rapidly determine the materiality of cyber security incidents, and how these rules affect the company's enterprise risk management strategy.
Enterprise Risk Management (ERM) is integral to the way organizations protect themselves and manage risk. Contrary to focusing exclusively on cybersecurity and cyber-related risk, ERM takes an holistic approach and considers all risks across the company. This comprehensive approach ensures that companies make well-informed decisions about how they allocate resources, prioritize risks, and choose specific areas to mitigate. ERM also distributes the burden of risk oversight, reducing the intense pressure on CISOs or any single department and making risk management a collective responsibility. In an era of increasing regulatory oversight, such as the new rules from the SEC, ERM also aims to help companies demonstrate that they are taking all necessary precautions and addressing regulatory requirements effectively.
Williams also emphasizes the need for businesses to prepare for the increasing regulatory scrutiny by maintaining a robust governance structure and adopting a team-based approach for managing cyber security risks. They predict the possibility of additional rule-making concerning cybersecurity in the future, thus viewing the current phase as the calm before the storm.
Williams ends the conversation with an invitation for listeners to provide feedback, reinforcing the theme of the episode: collective engagement in cybersecurity management.
Key Questions Addressed:
___________________________
Watch this and other videos on ITSPmagazine's YouTube Channel
Redefining CyberSecurity Podcast with Sean Martin, CISSP playlist:
📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq
ITSPmagazine YouTube Channel:
📺 https://www.youtube.com/@itspmagazine
Be sure to share and subscribe!
___________________________
Resources
___________________________
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-cybersecurity-podcast
Are you interested in sponsoring an ITSPmagazine Channel?
👉 https://www.itspmagazine.com/sponsor-the-itspmagazine-podcast-network
Transforming Cybersecurity Governance: The Role of Enterprise Risk Management (ERM) in the Context of the SEC Incident Reporting Rule | A Conversation with Keyaan Williams | Redefining CyberSecurity Podcast with Sean Martin
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
Sean Martin: [00:00:00] And hello everybody. You're very welcome to a new episode of redefining cyber security here on the ITSP magazine podcast network. This is Sean Martin, your host. And for those who follow, you know, I get to talk about all kinds of cool things, cyber related to help the business, uh, generate and protect revenue.
And, uh, there's always competing sides. Teams would just love to build policies and deploy controlling, uh. Mitigating controls and then, and then sit back and monitor and respond to things. Um, that's not the full picture. The full picture includes constant threat landscape. Uh, the, the, uh, bad actors don't sit back and wait.
They, they're always on the, on the move. But then there's also the, uh, the regulations and the laws and other things that That, uh, wreak havoc on programs and, and a recent one is in the, uh, SCC notification rule that [00:01:00] could change the way teams. Build their programs, managers lead their teams, report internally, manage things internally and of course impacts how they share what's going on externally and then when they have to do that so a lot to cover today and I'm thrilled to have Kian Williams on.
Kian, it's good to see you.
Keyaan Williams: Good to see you. I appreciate you having me, Sean.
Sean Martin: Yeah, it's good to have you on the show. And, uh, I'm excited for this topic and thrilled to have you on. Um, I know you've done a lot of prep work. Bobby, one of the most prepared guests I've had, uh, I'll say ever. Uh, pretty, pretty amazing what you've done with this.
Um, so I'm excited to dig into the topic, but before we do that, uh, folks who may not be familiar with you and some of the work you're up to, a little history about what's going on with CANF.
Keyaan Williams: Yeah, so, um, I have the privilege of doing a lot of strategy and advisory [00:02:00] consulting. I have a great team behind me, some really interesting customers that I'll leave out of the podcast, but some really interesting organizations.
Trust me to help them make smart decision, smart decisions, and it's. A lot attributed to the work that I did at the Centers for Disease Control and Prevention for 12 years. I did a couple interesting things in the Army for eight years, and I have been blessed to be a security leader in some really cool organizations.
So all of that comes together and puts me in a good position to make reasonable arguments about some of the best ways to do security leadership. And then I'll leave all the technical work to everybody else.
Sean Martin: That's, that's about where I am at this point. Uh, one, I once was technical and now, now I pretend to know a little bit.
Um, I like to have people on who, who know what's going on. So, uh, the, the notification rule, I think. [00:03:00] Most of my listeners probably have some idea of what it is, but I'd like to hear from you what you see, what it is from your perspective, and then we'll dig into how, how it impacts different organizations, how we can respond to that.
Keyaan Williams: So I hadn't read it in a while. And in preparation for this, I actually went back, 186 pages. In the reporting rule, but the thing that I'll add that puts it in context is very big letters and is double spaced. So they made it very easy for people to read. But what's interesting and what stands out from the reporting rule.
Is the SEC tried to strike a balance between everything that was originally proposed in 2022 and what they actually implemented in 2024. Part of the issue that they're dealing with is that there has always been a requirement [00:04:00] that a material negative impact That affects the decision making of investors and publicly traded companies requires disclosure.
Part of what the SEC is trying to do, and they lay this out in the decision making and the methodology and the rationale that they highlighted in those 186 pages is that companies were providing different levels of specificity regarding the cause, the scope and the impact of a material cyber security event, which In some cases, people didn't say anything because there was no standard approach for sharing that information.
And there's also a lot of information in the rule requirements that talks about what is the right format, which is the right document, was the right approach. How do you make it easy for investors to locate, interpret, and analyze the information so that they can make a decision? And at the end of the day, it's really about investors.
It [00:05:00] has nothing to do with security. You know, the role of the securities and exchange commission is to provide oversight for public companies. Those public companies have people investing in them. It's mutual funds stocks. It's all of the economic. It's a lot of economic activity that takes place and people who are making decisions about where to park their money.
Need to have enough information to say, is this, or is this not a reputable company that has a good program that has a handle on reducing risk to an acceptable level so that the confidence that I have in my investment in the company meets a certain level of reasonableness, given all the options that are available in the marketplace.
Sean Martin: So what, what you. And forgive me if I'm, if I'm missing something here, but what you described is a view into program left of boom, and, and the, the reporting obviously is, [00:06:00] uh, to the right of something happening. So post, post event, um, which of course then, Perhaps you can, you could say, probably the company to reinforce their program or to do something better or different differently.
But, um, how, how does the reporting rule help investors? And I guess what I'm trying to get is the picture of. What happens when from a reporting perspective, what's in the report, how does it go out? Cause to your point, it's really about the investors making a decision, right? So a bunch of security mumbo jumbo, uh, isn't going to necessarily help.
Somebody who only knows finances or doesn't know, you know, finances, they're just playing the market. Right. So how, how does that, there's a big gap there for me. How do we get from A to Z there?
Keyaan Williams: I think there are a couple of items that are in the language of the [00:07:00] final rulemaking that can help. So I'll, I'll tell you the justifications.
And why the time frame for reporting is what it is according to the SEC. And so they, they, SEC, not Keon in his opinion, but the regulator said that there are three specific reasons that investors need timely and reliable information. Um, one of those reasons is that an increasing share of economic activity is dependent on electronic systems and disruptions to those systems.
Large scale tax, ransomware, outages, solar flares that knock out AT& T, all of those things have an impact on the underlying publicly traded company that people are investing in. The second item that they had listed in the SEC rulemaking was that there has been a substantial rise in the prevalence of cybersecurity incidents.
And that rise is [00:08:00] a combination of remote work resulting from COVID 19 as the catalyst. Increasing reliance on third party services. I think there's, um, some statistical information that says 90 percent of companies in the United States have at least one third party service provider that supports their core operations.
And so we're relying on third parties and that has to be considered. You also have the rapid monetization of cyber attacks for the people in the audience, if they put on their CISO or their security leadership hat. Malicious use of cybersecurity and the attacks. There's evidence for years over years that these people are operating a nine to five.
Like it's a regular day job. They clock in like Fred Flintstone. They do their activity. They clock out at the end of the day and they go home to their families. All of this just demonstrates that people have figured out a way to monetize cybercrime. So then it [00:09:00] requires evidence of a good program in place and then disclosure when the program fails.
The final thing from the STC talking about justifications is that the cost and the consequences of security incidents are increasing for companies, and if we don't have a standard way for disclosing that, and there's no timely disclosure of that information, then it really does create a situation whereby people are investing in companies and they really don't know what the actual value of the company is.
If we look at MGM. I don't, I had nothing to do with it. I wasn't involved in the assessment or the remediation, but public information, if you add up all the numbers, MGM spent 110 million. Related to what I would argue is a failure in their service management system, because we should be able to securely verify the identity of somebody when we're asking for a password reset.
And not allow lateral movement across the environment [00:10:00] by a specific user without being stopped. And so it's getting technical and it's getting into the weeds. But at the end of the day, if I were an investor in MGM and I didn't know the financial impact, and I don't think 110 million. Is the ceiling that's the floor, then that's going to influence whether or not I make that investment.
So then you can look at MGM and Clorox and all these other companies that have had their information in the marketplace. What do we do about all the companies that you never hear about? Same impacts, same outcomes, the same information matters to investors. Because the SEC is focusing on people that are investing in these companies, and so I would argue it does start to make sense that we want to have a standard approach for a specific classification of companies that have a meaningful impact on economic activity in the United States, and then hold not the CSO as a specific [00:11:00] person, but the board and management and everybody accountable for managing cyber security risk and reducing it To a reasonable or acceptable level.
Sean Martin: Yeah, thank you. Thank you. And I think, um, I mean, we're gonna get into some of the program stuff, and I'm just thinking so prior to, I'll say, being forced to, uh, to report some, maybe there was some other regulation or some other jurisdiction or some other requirements somewhere that. That prompted an organization to share that information, uh, became public knowledge anyway, so we have to at least respond to it.
Um, those companies presumably were at a disadvantage then compared to those who had a breach and didn't, uh, expose or share that information. Um, so presumably investors would not invest with those. As [00:12:00] much or as as often or at the same levels or scale as ones that didn't disclose their breaches. So now everybody is going to be, I'll peel back everybody in a second, but everybody's going to be responsible to report.
And kind of sets everybody on the same playing field, right?
Keyaan Williams: I think having everybody on the same playing field is good. In the past, because rules have always existed about reporting material problems, not exclusive to cybersecurity, but just all public traded companies, have always been subject to SEC rules that lead to an outcome that includes Responsible disclosure, transparency about what's going on.
Transparency is a key foundation of governance and a lot of public companies are subject to governance rules. A lot of public comp, actually I can't think of any public company that doesn't have a board of directors. And so all of these things have [00:13:00] always existed. The new focus on cybersecurity I think is interesting because cybersecurity is alchemy.
You got a bunch of wizards in the background standing around a pot doing some magic and nobody knows what's happening. Those days are gone and now we're moving forward into an environment where the board is accountable for understanding the exposure that the company has and making decisions about how the board is going to leverage resources to respond to cyber security risk.
CEO is responsible. The chief operating officer is responsible. The chief financial officer has to justify spending in an environment where there's always going to be some trade off, but you have no excuse for not spending on security. I think the outcome of this, even though it's exclusive to public companies in the United States, is going to change the entire ecosystem that we operate in such that the [00:14:00] expectation is going to be that if there's a problem, companies, whether they're public or private or family owned or nonprofit are going to say, Hey, ladies and gentlemen, this is what's going on.
We had an issue. This is the impact of the issue. This is how people are going to be harmed. If nothing else, I think that's going to be good for everybody because now it removes that incentive for organizations to keep the information close to the vest, to not say anything, to not do any information sharing about indicators of compromise or tactics, techniques and procedures or all the other fancy buzzwords.
But the more information that we have about what's happening, the more opportunity everybody who is interconnected in the digital age, the more opportunity all of the parties have to do some level of response. You know, if my neighbor next door has, um, if their house is hit by a flood and the flood hasn't hit me yet, well, if I know that they were hit by a flood, I'm going to start putting out [00:15:00] sandbags and taking other kinds of actions.
I laugh because I want nothing to happen to my neighbor. I like my neighbor. But the idea is that if my neighbor is the forecast for what I'm going to face, because we're in the same neighborhood and I'm just downstream, I want to know what's happening to my neighbor so I can take action to protect myself.
And once I've protected myself, now I can go help my neighbor. If everybody keeps everything that happens in cyber security a secret, nobody knows what's going on. And then the cyber criminals are the ones that end up winning because they share information with each other. Regular companies not sharing information with each other, I would argue is bad.
And I think the SEC rules are the beginning of the opportunity for general counsel, legal officers, and other people to say, Hey, there is a framework by which we have a good reason. To share information and make it public. And do it in a way that is standardized and [00:16:00] appropriate and is not going to expose the company to additional harm or other negative consequences.
Sean Martin: So where, where do you see some of the biggest changes taking place? And I'm, I'm thinking full stack here from. From board to C suite to managers, to security leadership, to program leaders, to analysts. I mean, kind of, you don't have to go up and down the whole, the whole thing, but I'm just curious, does it impact that whole stack?
And is there an area that, that it really impacts more immediately, more impactfully at the moment?
Keyaan Williams: I think the new rules from the SEC impact the whole stack, but I think the stack is defined by an obscure NIST document that nobody reads. So if you look up NIST Special Publication 800 39, that document is about security program management.[00:17:00]
And in this 800 dash 39, they divide the organization into a 3 tier hierarchy, where the top of the organization is the board and executive leadership. And at that level, that top of the pyramid is supposed to define what are the acceptable boundaries of risk taking. If we accept risk, how much risk makes sense for our organization?
What are our key risk areas? What are our key risk indicators? All of those questions are answered by the board and the CEO and executive management, which then allows in the NIST model. For tier 2 to be the mission of business process where you have your CFO and your COO and all of your C suite people are executing the requirements established by the top.
And so if you have security roles and responsibilities for the CFO. For the chief operating officer for the chief information officer for the chief finance or for the chief human [00:18:00] resources officer. I'm trying to do a broad cross cutting examination. Well, now it's not just the chief information security officer who was accountable for all security across the organization.
It's that everybody who has that chief. in his or her title has responsibilities for contributing to reducing risk to an acceptable level based on the way they operate in their department. And then the third level in that NIST 800 39 model is finally at the system level where you have all your data processing and your information systems and your cloud services.
I think the combination of the SEC requirements and the NIST 800 39 model shifts and distributes the burden of oversight. And reporting and just plain old paying attention to everybody in the company rather than only being focused on data and information systems and it'll and not allowing [00:19:00] all of these other important business people to say, Oh, well, that's not my problem.
We got a security guy that takes care of that. Or infrastructure. I don't care about infrastructure. I don't need to know how my applications work. I don't even need to have an inventory of all the data that's required for me to do the job of the chief operating officer of the human resources officer because there's a CIO that takes care of that.
People throwing it over the fence and saying it's somebody else's problem is 1 of the root causes for the amount of risk that we have the rules because of the way that they look at the programming that exists and the reporting and the accountability that applies to the entire organization. A reasonable publicly traded company is not going to say the success or failure of the entire organization is going to rest on the shoulders of the chief information security officer, because now everybody in the company has a vested interest in the outcome of the management of the security program and the responsibility to [00:20:00] do a public disclosure.
About how well that program is working and what is the root cause of an incident if we have one and then providing that information within a timely manner.
Sean Martin: So I love this. And, uh, in particular, the, the distributed responsibility. Um, yeah, basically saying, yeah, everybody has their own role to play and will be held accountable if, if, if they're not doing their part.
Uh, there has to be a single point though, still in my mind where things land, right? Somebody has to say, this is the direction we're going to take things. And here, here is each of your roles in this plan to address this risk. Well, first, what are the risks? Here's a plan to address them. Here's, here's a role in, [00:21:00] in that program.
Is that still the CISO or has that? I
Keyaan Williams: would argue that it never should have been the CISO, you know, if, if you look at organizations that do risk management, well, the high watermark, I would argue is financial services. So if I go to, um, JP Morgan Chase, or if I go to Bank of America, or I go to another, uh, super large global financial institution, what has likely happened is the institution at the board of directors has documented a formal risk appetite statement.
The risk appetite statement is going to declare all risks that the organization is exposed to. It's going to declare the organization's preference for responding to those risks. And then the risk appetite statement in a bank, as a specific example, is then going to say, what are the acceptable boundaries for our exposure as it relates to operational [00:22:00] outages?
regulatory requirements, reputational harm, and a host of other things. And, and what that does as an example from financial services is it moves the risk conversation from cyber security risk management to enterprise risk management. Companies that do cybersecurity risk management well often have a very mature, very robust, well documented enterprise risk management approach because the response to enterprise risk usually satisfies multiple requirements.
Access control is not exclusive to cyber security. I need to control access for physical access to the building. And so you start to have these overlaps and all of your risk areas where the board says, you know what, it is acceptable if we're in the local news. But I don't want people on the other side of the world to know that we don't know how to manage our business very well.
And so reputational harm becomes a risk area, and the [00:23:00] entire organization, not to see so exclusively, is going to work to put countermeasures in place to limit the opportunity for there to be some kind of reputational harm. And so then you start taking all of those facets of enterprise risk management.
Yes, cyber security is going to play a role. But if I look at the control objectives for information and technology for I. T. leaders cope, it has managed risk. As an objective inside the framework, but everything in COVID can be used for security when we talk about risk management or managed change. I can use everything in COVID that a CIO would use to support change management and then add security impact analysis as an activity when we're making IT changes.
where the objective is to control the IT environment, but we're still managing security risk by making sure we understand the impact of the change on the security posture that we have [00:24:00] in the organization. And so COBIT, COSO, ISO, you have all of these standards and frameworks that focus on enterprise risk management, where an experienced CISO can leverage a non security framework to do good security work.
I would argue that the possibility to even do that demonstrates that it was never the CISO's job to be responsible for all the risks. It was the CISO's opportunity to be part of the risk family so that everybody in the family is working together to reduce risk for the entire organization. Because anytime you have a silo, you are not leveraging or maximizing the use of resources.
You have breakdowns, you have overlaps, you have people operating in isolation. Enterprise risk management brings everybody together and enterprise risk management when we apply it to the SEC rules really creates an opportunity for you to have a dedicated risk committee at the board level for the board committee that's looking at [00:25:00] enterprise risk to consider all risks that the organization faces.
And then the board can make sure that resources are provided to reduce all of those risks to an acceptable level. Rather than having a one trick, one focus pony that says, Hey, look at me, look at me, I need to do something to prevent exploitation of vulnerabilities, but we can spend money once to solve multiple problems inside the ERM program, rather than having to spend it five times for five different risk management programs in the same organization.
Sean Martin: So there are probably countless reasons why CISOs picked up the, uh, The bag, at least for cyber risk. And I mean, you can look at it from the complexities and the tech based risk. You can look at the The lack of understanding or awareness of the threats from a technical perspective, [00:26:00] so there's kind of this mojo there and and a sense of heroism.
I think there's no question, right? There's a bit of heroism and we've saved. We've saved the day in this event type of thing. And this is no slam on any of anybody in the roles here. It's just how how the field in the roles of Yeah. Transformed over the years. Um, so there's a bit of holding on to that and kind of then by virtue, kind of holding that risk bucket for cyber.
Um, is this an opportunity? And do you think those in the role? We'll, we'll embrace the opportunity to say, I'm going to let go of some of this stuff. I'm going to rather, I'm going to be part of something bigger. I'm sure there are a number of companies already do this, but I'm talking to maybe a broader set here.
I'm going to share the responsibility as, [00:27:00] as described as necessary here. I'm going to help educate and inform the bigger picture with what I know. And therefore I'll benefit in X, Y, and Z ways. Do you think that's, this is an opportunity? Do you think people in that role embrace that opportunity?
Keyaan Williams: It's hard to say what everybody's going to embrace everywhere.
You know, you have a lot of very, very good CISOs who have always been technical people. And a more business oriented approach is uncomfortable. And you have very, very good CISOs who are business people that were never technology people, but have learned what they've needed to learn to be effective. I think rather than making a blanket statement about CISOs broadly, it's valuable to kind of highlight the different outcomes, if it's a team effort versus an individual effort.
If we look at it from an individual effort, there is lots of [00:28:00] information that goes back multiple years, even before COVID 19 that said, chief information security officers are burnt out, they don't have enough resources, budgets are not sufficient to keep up. With the changes in the threat landscape or the changes in technology, just as we go from one iteration of technology to the next.
And you have a single hero running around trying to do an extraordinary job with lack of support and resources. That's not going to be a winning strategy. The alternative is to say, Mr. or Mrs. Siso. I don't think it's fair for you to be the only single individual in the company that is responsible for everything that the company faces.
Let us pull together a committee or a working group or a formal function within the business that looks at everything that we're facing. That has [00:29:00] a connection to the board to ensure that we get adequate resources and allows the entire team to work together to reduce all risks, inclusive of cyber security, but not exclusive, reduce all those risks to an acceptable level and where we can't reduce something we're going to document.
We did X, Y, and Z because it was appropriate for the company. We exhausted all of our resources. We couldn't do anything else. And if something goes wrong, that was a risk that we as a group were willing to accept rather than putting that burden on a single individual. Now, if I had the option to choose between the two opportunities, I would go with the team effort because now I can leverage.
Individuals from other teams to help solve cyber security problem. I have shoulders to cry on. I have people to drink coffee with. I don't have to go to my peer see so's to a industry event and everybody sits around and complains about the support that they're not getting. [00:30:00] Because we're shifting the model in such a way that it's inside the company that I have my support network.
Now my peers in the industry outside the company, which I would argue is valuable because now we can really get into the deep secret details of what's really going on in my company and how do we address what we're facing. Because if I'm limited to only relying on my community of individual heroes.
Well, there's only so much information that I can share before it becomes a problem.
Sean Martin: So I'm inclined to There's a point you made when, in the prep for this, uh, that I'm going to hold on to. I'm going to get there. I'm going to take a dive down first, the stack, to kind of, to the operations. In your experience, is there anything from the, from the reporting rule that dramatically impacts how CISOs run their programs?
So the way their teams are [00:31:00] organized, the way they leverage technologies, uh, the types of data they do collect, don't collect, I don't know. Anything in there that you want to highlight.
Keyaan Williams: Well, there's a section in the rules, and I mentioned that I had it up, and I think it's valuable to explore it. But, um, in the SEC rulemaking, there's a section that's called Disclosure of a Registrant's Risk Management Strategy and Governance Regarding Cybersecurity.
If I were building a security program from scratch, the number one thing that I would do is take the list of everything that the SEC listed as data points that they're interested in. And then make sure that I have good metrics and reporting about all of those data points. Like, uh, some of the data points that they list are whether or not the organization has a risk assessment program.
And if so, a description of the program, [00:32:00] you know, does the organization engage. Assessors, consultants, auditors, or third parties in conjunction with their risk assessment. Do they undertake activities to prevent, detect, and minimize the effects of cyber security incidents? The list goes on and on, but those are specific objectives.
That the regulator is looking for. You always want to build your program to the standard. They've already defined what they care about. And so now I can say, you know, am I using the center for internet security, critical security controls, or plug to my friends at NIST, they just released the new version of the cybersecurity framework and the NIST CSF 2.
0 has a governance step that's been added. And so there are all these opportunities. To highlight and focus on things that the regulator is going to care about if there's a problem, but that also becomes the opportunity to get the business engaged in the conversation because now [00:33:00] you're not saying, Hey, dear board, I want to talk about the Center for Internet securities recommendations.
It now becomes a conversation about a specific set of criteria that the Securities and Exchange Commission has recommended organizations have something in place and they're able to answer the questions when they come up. About governance and strategy and program management for cyber security.
Sean Martin: So funny enough, I think a few points you made kind of support where I wanted to take this as well.
Because in in the notes in prep, you said this is likely the calm. Before the storm, and I have a sneaking suspicion that some of what you just described might be factors in what you're about to say as well. So what is the calm before the storm that you're Well,
Keyaan Williams: I think the storm is more for businesses than the CSO as a role in the business.
Um, there are a couple of things that are [00:34:00] interesting, simply by observation. Um, the SEC requested voluntary information from companies that were affected by solar winds. But every company that was affected by solar winds had an existing requirement to provide disclosure of material impacts to the organization.
I can't prove it, but I think the SEC was playing games saying, Hey, ladies and gentlemen, we want to verify that you're disclosing what you're supposed to disclose. So voluntarily tell us what was the impact of solar winds. That's a bit of a shell game that from their perspective, if my assumption is correct, allows them to determine what percent of companies are actually reporting what they're required to report.
One of the other things, if you go back to the proposed rulemaking in 2022 and you compare that to what was actually executed within the last couple of months, there are a lot of things that were left out. [00:35:00] You know, there were, um, proposed requirements that board directors demonstrate competence and knowledge about cyber security, which is going to make them more interested.
Um, there's a lot of. Nashing of teeth and jumping around saying that we can't determine within four days was the incident material. I don't think that excuse is going to last very long, especially given the language about strategy and governance and program management. I would argue that it's in the best interest of companies to be very prepared to have outstanding situational awareness so that when there is a security incident as part of your incident response, you can pinpoint and say these systems.
Have this value to the organization. They do or do not meet the definition of material as defined by our company, given the expectations of the regulator. And you should be able to very [00:36:00] quickly say this was or wasn't material. I think the SEC is doing a slow rollout of the rules. I anticipate additional rulemaking this year that enhances I let me rephrase that I anticipate.
That they are potentially going to include new rules on top of what has already been enforced, and I don't think that there is going to be a lot of opportunity for excuse because we're running into a perfect storm of, uh, regulatory activity globally. In the European Union, they have a AI law that's going to be enacted soon.
We have, um, the cyber maturity model certification for the Department of Defense that's going to go into effect soon. We have other regulatory activity that is bubbling up in other countries related to privacy. And security and artificial intelligence, and I think it would be unwise for organizations, especially public [00:37:00] companies that are under the SEC rules to kind of wipe their brow and say, all right, now I know exactly what I need to do.
I am only going to focus on the cybersecurity reporting rule, and I'm not going to do anything else. I think doing nothing else and not building capacity and not building capability that responds to what we already see coming down the pipeline is going to be a big mistake. And I think we're just seeing the crest of the wave off in the distance because it's only been a small number of companies that have had an incident and then they've reported according to the disclosure rules.
And some people are overreporting and some people are underreporting, but as this activity continues, as there's more enforcement, as there's more oversight of the regulators, and as we start having overlap between regulatory requirements, the burden is going to be worse. It is valuable for companies to start thinking about this now and put something in place so they don't have to spend 5 [00:38:00] billion in 5 weeks to do something that they could have been planning for strategically in advance.
Sean Martin: Yeah, and I, I particularly like the situational awareness. Um, yeah, I think the excuses and exceptions will go away and just continue to tighten. So whatever, whatever bar is material now is going to raise or lower depending on how you look at it. Right?
Keyaan Williams: Yeah. And Sean, I had one more point because we were kind of talking from the regulatory perspective.
Yeah. Well, when we're talking about public companies, all these companies are supported by investors. Eventually, investors are going to get tired of this because they're losing money. The value of what they're investing in is reducing. The economy is already going through some transformation, given how we're moving away from the pandemic and dealing with new ways that people and companies are operating.[00:39:00]
We are really on the cusp of a perfect storm where it may not even be the regulators. The drive action, it becomes institutional investors, hedge funds, and individual consumers that say, you know what, I'm not putting my money into a company that can't take cybersecurity seriously and do something about it because it's not easy, but it's not so difficult that it's impossible.
Sean Martin: So you're saying outside of publicly traded companies that SEC has oversight, but broader companies that take money from other sources.
Keyaan Williams: Yeah. Um, if, if you look at, um. If we move from technology and security to economics, one of the primary reasons that 60 percent of small businesses don't exist within 12 months after a cyber incident is switching costs.
You know, if I have a mom and pop managed service provider and there are 50 in the marketplace. [00:40:00] Whatever reason that I selected for the managed service provider to be my provider is not more important than the concern that I have. If that MSP has a cyber incident, my data is compromised. I'm victim of business email compromise or some other thing that leaves an impression on myself as the owner of a business.
I'm just going to pick one of your 49 competitors. And so people are going to use economics to make decisions related to how seriously they perceive businesses to take cybersecurity. And I think that's going to apply for public companies, for private companies, for family owned companies. At the end of the day, it's not going to matter because the power of the purse is a significant influencer on whether or not a business is viable.
And if you lose all your customers, because you had a cyber incident. Who cares what the regulator says? You've gone out of business anyway.
Sean Martin: Interesting. Interesting. A lot [00:41:00] of, uh, a lot of stuff coming. Can absolutely a lot of stuff. Well, we're, we're just over 40 minutes here. Um, No question. I could keep picking your brain.
I think, uh, I think we'll leave it here. I think there's plenty of things for folks to chew on. Um, unless you have any, any final thoughts of something we didn't touch on that, uh, thinks important for, uh, primarily C suite. Let's speak to them. Anything we didn't touch on that they, they should be paying attention to.
Keyaan Williams: I have an invitation for the audience. All right, there we go. Um, you and I thought this was an awesome idea. This I think is the best conversation I've had all day. If the audience wants to explore more, I think it's a good opportunity for them to send you feedback directly and say, Hey, Sean, this is what I wish you guys would have talked about.
And then instead of extending it just based on what we assume people want to know, I would love to respond directly. To specific points of interest that people highlighted, [00:42:00] it's a reason for everybody that listens to the podcast to share it with somebody else, because the more people who listen, the more feedback that we get, the better opportunity we have to make sure that we're answering the questions they're pressing on other people's minds.
Because I'm much more of a business nerd than a technical nerd, and I don't want to drag people into corporate finance or economics too deeply. I think at the end of the day, the moral of the story that I tried to paint in this picture was that the work of a CISO was difficult. It is even more difficult if that person is a single hero by him or herself, the work that we're doing is not exclusive to a person that has the title see.
So, and the more we can get the entire business engaged and satisfying the requirements industry requirements and other regulatory obligations. The better off everybody is going to be because all of these systems, services, applications, and businesses [00:43:00] are connected nationally in the United States where I live, but also globally and everything that everybody does makes a difference.
Sean Martin: I love that Keon. Thank you for, uh, for that call to action for sure. And I would, I would say for me, I'd be welcome. We're open to, and hopefully you would be as well. If, if we get a lot of feedback, I'd be happy to have another, another chat and address some of those things. For me, what'd be interesting is.
Yes, there's the CISO role, but you touched on the broader, this is everybody's responsibility. So I'd, I'd be interested in perhaps through the CISO, uh, Perspectives or questions or yeah, areas of concern from others in the organization, uh, after listening to this, what, what's the CEO and the CFO and the HRO and the, yeah, CRO that's risk officer, what's their perspective on this, uh, [00:44:00] having listened to it.
So. Definitely welcome that. And, uh, yeah, appreciate you Keon taking the time for reading all hundred and six, 86 pages. And you're, you're amazing. Thank you for doing that. And, uh, thank you for sharing all this and hopefully everybody enjoy the conversation. You did do please share, comment, subscribe, and, uh, you know, hopefully we'll see, see you back on
again.
Keyaan Williams: I look forward to being part of a awesome series. Thanks again for having me, Sean.
Sean Martin: Thanks a million.