I’d never felt the need to snap a selfie in front of a regulator’s headquarters before, until last week. When I was in Washington DC, I visited the cybersecurity industry’s favorite regulator: The U.S. Securities and Exchange Commission (SEC).
Whether you agree with what they’re doing, between updating their cyber rules and making SolarWinds (and their CISO) accountable, they are disrupting cyber for the better.
I refused to acknowledge it for the first 20 years of my career, because like many in our industry, I couldn’t wrap my head around why people didn’t care about cybersecurity. What I missed, was the macro context.
While there are exceptions, for the most part, organizations will only “do the right thing” from a cyber standpoint if:
- A regulator says so; and/or,
- A material cybersecurity incident occurs.
It may seem cynical or defeatist, but this is reality. The sooner we acknowledge it, the faster we can go about getting the right things to happen while understanding the true levers for cyber investment.
Organizations have to manage many things using a finite amount of resources. Given unlimited resources, organizations would do everything they should do. Pragmatically, they cannot.
We spend far too much time overcomplicating everything to answer what is ultimately a simple question. Cyber professionals tie ourselves in knots trying to justify our existence with stuff that doesn’t matter.
The SEC is basically forcing companies to answer the following question:
"Are you ok, and if not, what are you doing about it?"
Organizations are being asked to prove they are:
GOVERNING CYBER RISK & CYBERSECURITY
In New York alone, the New York State Department of Financial Services followed the SEC’s lead earlier this month, and according to The Wall Street Journal, New York is about to enforce similar rules for its hospitals, and by association, the ecosystem servicing hospitals.
History has proven that as the US goes with cyber, so does the rest of the developed world. If you’re wondering how to get ahead of it before it inevitably hits you, look to the SEC and New York.
Getting your Cyber Governance up to standard and aligned with what’s happening here on the east coast of the US puts you well ahead of any regulatory requirements that will inevitably hit you.