Reshaping Security Governance to Meet the New Challenges
A checklist for CISOs to create greater efficiencies around security governance processes in response to the new SEC requirements
John Morello | January 30, 2024
We recently covered a series changes to the security governance landscape, including the new reality for Chief Information Security Officers (CISOs) in the wake of critical legal rulings and Security and Exchange Commission (SEC) rule changes. We've discussed how they face greater liability, as well as the potential unintended consequences of the SEC disclosure mandates. Now we are sharing specific recommendations to improve security governance to reduce personal, and corporate, risk.
CISOs can actually transform the new requirements into a thoughtful mechanism to create greater efficiencies around security governance processes, metrics, and workflows.
Update your security incident response playbook
To meet the new reality of faster and more detailed disclosures as well as to mitigate personal legal risk, CISOs need to update their security response playbooks. To meet the new SEC requirements, you may need to change many practices to better hit the four-day disclosure window. That could mean increasing the frequency of log analysis, closing gaps in log collection, putting in place better observability and data aggregation to speed up forensics, or automating key parts of your reporting process.
In addition, you may need to allocate more resources to the initial response, by assigning additional headcount or putting in place a resource burst capability through a third party.
Update your compliance and risk management practices
CISOs will need to have a new set of compliance and risk practices to accommodate the new SEC rules and legal risks. For their organizations, the SEC rules accelerate timetables for any compliance activities required to report a material attack. At the same time, due to the fast turnaround time required by the SEC, CISOs may consider increasing the frequency of compliance exercises such as audits to increase their team’s ability to move quickly and reset organizational expectations. In terms of risk management and disclosure, the new landscape for personal and corporate liability requires significantly more care to be applied in all internal communications.
When CISOs do make internal presentations or provide recommendations about cybersecurity policies and practices, they should err on the side of caution. CISOs should advocate for disclosure early and often, even with incomplete information, because the alternative is far greater legal exposure. CISOs should also work closely on disclosure playbooks with the CEO and communications teams of their organizations to better manage reputational risks and potential financial impacts resulting from any disclosed breach or attack.
Instrument your playbooks and processes so you can objectively verify compliance
What is not measured does not matter, and what is not instrumented cannot be measured. Rather than prioritize purchasing more defensive security tools, CISOs should consider investments into systems that can programmatically collect, categorize, and report on security response and compliance processes. Such systems exist today but a wide gap remains in understanding how teams behave, whether they follow policies in reality, what the workflows actually look like under fire, and where bottlenecks and gaps may lie.
Enter security process capture, the last mile for security governance. Process capture has long existed in other fields, but it is only now becoming more of a focus in security governance, driven by the SEC rules and the changing landscape. Process capture means instrumenting the different workflows and tools that security teams use to monitor and validate that proper processes are followed and to identify ways processes can be improved. In reality, security controls are only a part of the toolchain essential to security governance and compliance. Messaging and chat tools, ticketing systems, software repositories, and CI/CD tools all play critical parts in security operations and governance. Instrumenting the tools that are used puts in place a mechanism to develop process centric understanding and also a more detailed record of team actions and behaviors. This record can be used to fulfill audit and compliance requirements by demonstrating policy execution and conformance.
That said, simply capturing the process and making it visible is a necessary but not sufficient step. CISOs will also need to deploy a new set of security process metrics to spot trends, find outliers, and measure averages. Some existing security metrics would clearly apply — such as mean-time-to-detect, mean-time-to-fix, mean-time-to-contain, and mean-time-to-update.
Some new potential security metrics might include:
- Mean-time-to-triage — How much time it takes to appropriately identify and escalate a security event is a critical capability to be able meet new disclosure requirements. Without rapid triage, a serious incident might not be escalated in a timely fashion.
- Mean-time-to-validate — From triage to validating that an attack is underway is another critical metric along the path to a four-day notification capability.
- Mean-time-to-blast-radius — Mapping the full blast radius of an attack can be challenging to measure, but having an accurate read on the full extent of an attack will make rapid reporting less daunting and risky.
- Playbook-compliance-percentage — What percentage of security responses follow the prescribed playbook determines both how well a team is performing but also the viability of a playbook and supporting processes and tools.
An Opportunity to Make Security Governance Transparent and Efficient
While all of the discussed changes will put stress on security, compliance, and risk management teams, this transitional period also offers a rich opportunity to elevate, streamline, and automate security governance. What the SEC and shareholders want to know is whether CISOs and their teams prepared and responded correctly. For CISOs, this knowledge will also help them understand how effective their team is and whether the processes put in place are viable and followed. The most important capability of any security team is tight coordination and cooperation. While every team has many tools and controls, those controls are only as good as the processes that surround them.
Instrumenting security and compliance processes makes security more transparent and efficient by allowing CISOs to monitor and observe coordination and cooperation. Transforming previously manual event log analysis and interviewing processes into systems will also enable faster audits and reduce compliance and risk management costs over time, all while delivering improved security. Automated security process monitoring and reporting will enable nearly real-time readouts on process compliance and behaviors, allowing CISOs to oversee critical security response and even enabling CEOs to track security governance. The logical end game for CISOs is to have a clear line of sight into the inner workings of their security response and compliance processes, making visible the vague and predictable the previously opaque — all while reducing cost and risk.
Security governance is getting personal
For CISOs, CEOs, BODs, and security teams, staying ahead of these new security governance changes requires a proactive approach with a focus on compliance, transparency, and strategic risk management.
Download our whitepaper, "Navigating a New Security Governance Reality: A CISO's Guide to Cybersecurity Disclosure and Compliance" for:
- Real-world ideas for improving your security governance to better navigate recent global disclosure changes
- An understanding of personal and corporate liability risks security leaders assume when they don’t prioritize security governance
- Ways to prepare for the possible unintended consequences of the new disclosure rulings