The recent announcement of the SEC providing guidance for corporations to disclose cyber security risks is interesting. It would be hard to say that’s a bad thing -- if there’s anything we should be able to agree on it’s that more disclosure of breaches will help improve security. But it’s hard to know exactly what effect this will have on the way businesses look at information security.
The SEC is at pains to reassure businesses that they do not need to disclose information that could be used to assist attackers: "We are mindful of potential concerns that detailed disclosures could compromise cybersecurity efforts -- for example, by providing a “roadmap” for those who seek to infiltrate a registrant’s network security -- and we emphasize that disclosures of that nature are not required under the federal securities laws.”
That’s fair enough. I doubt anyone expects a business to disclose so much of its security processes and infrastructure that it leaves itself open to attack (or more likely, makes an attacker’s life easier once an attack is under way.)
The good news is that this clearly takes an initial step in directly linking the effectiveness of cyber security to the value of the business. Or rather, it links attacks to the costs that the business must bear, and forces them to disclose this to shareholders. Ultimately, that’s going to cause the boardroom to take cyber security worries more seriously.
Less clear to me, however, is the value of trying to force businesses to evaluate and declare the risks of an attack: “In evaluating whether risk factor disclosure should be provided, registrants should also consider the adequacy of preventative actions taken to reduce cybersecurity risks in the context of the industry in which they operate and risks to that security, including threatened attacks of which they are aware.”
Not that I don’t agree in principle, but the fact is that many organizations are rather poor at determining the level of risk that cyber attack actually presents to their business. Now, I’m not talking about the security team here (I find they are usually more than aware of the threats they are facing), rather, the disconnect occurs when those risks are linked to meaningful business impact -- which is the primary reason why so many IT security organizations have a hard time justifying spending money.
Answering the question “Is your business under threat of attack?” should almost universally result in a “Heck, yes” response. I wonder, though, how well that will translate to SEC filings and shareholder reports.
There’s also an interesting twist to this -- the Law of Unintended Consequences, if you will: By making organizations be more open about the business impact of a breach, the SEC is actually increasing the business impact of breaches that occur. This means that companies must be more diligent about reporting breaches and that should have a healthy effect on information security, actually promoting best practices and a realistic evaluation of the need for better security from the boardroom on down. And, since it’s often our information they are holding, I think that’s a good thing.
Geoff Webb has over 20 years of experience in the tech industry and is a senior member of the product marketing team at Credant Technologies. Geoff provides commentary on security and compliance trends for such journals and websites as: eSecurityPlanet, CIO Update, The Tech Herald, Compliance Authority, Virtual Strategy Magazine, and many others. Prior to Credant, Geoff held management positions at NetIQ, FutureSoft, SurfControl and JSB. Geoff holds a combined bachelor of science degree in computer science and prehistoric archaeology from the University of Liverpool.