ROI on the strategy?
To boost the post’s SEO, include a keyword in the title.
While the SEC is attempting to take a risk [cyber] that is largely misunderstood, mystified to the masses, misguided - to include solution providers - and strong-arm them into a complete 180º...
While my purview is to wait for the inevitable, the legal challenges, before assuming any precedence, some fundamentals are sadly missed by some articles pertaining to the SEC and cyber risk prosecution.
The immediate and long-term impact of the SEC strong arming companies into submission will come into play - expect good cyber executives to demand higher pay with the risk of prosecution at an all-time high. For those unaware, cyber risk is an enigma for most companies, and combined with the risk:reward ratio most companies employ, this equates to higher odds for prosecution than most companies may be willing to risk. This is all assuming most companies will not happily lower projected earnings for the sake of lowering cyber risk.
Lest not forget, it is not the role of the CISO to address stakeholders. The CISO shall inform their direct report (often NOT the CEO). The shareholder notification expectation shall come from the CEO, ultimately vetted by the PR/Legal translator.
This is basic business.
Additionally, company politics play a large part with the risk executive and their peers - we see the board and CEO relationship struggles, interpolate that into a risk officer who cannot speak either risk language or business language.
Board risk expertise should assist in identifying what is systemic (e.g. impacts downstream, supply chain, reputation, etc) and what is costly (e.g. exceed threshold), then the risk director or committee can deep dive and conduct due diligence by confirming the correct strategy is at play. As always it is up to the executive officers to implement, even if a high number of deep dive sessions are needed.
Closing with: is strong-arming truly feasible, let alone the right way, to solve the status quo in cybersecurity? Is the carriage leading the horse? *cybersecurity attack techniques are vastly unchanged since computers were invented, however each company will have differing risks and unique to them solutions.
Comments