Dissecting the SEC Cybersecurity Guidance

On October 13, 2011, the SEC released new cybersecurity disclosure guidance that has the potential to have a major impact on public companies in 2012. I've been taking a good hard look at the new rules to be able to better describe what the actual impact will be.

Rarely have I seen something so game changing come out in the information security domain. Usually, when the U.S. Government publishes new policy, legislation, or mandate, it gets equated to some compliance checklist that requires organizations to spend more money on auditors that check that they have done everything they're being told to do than on actually protecting business processes (FISMA and SOX come to mind). Rather, this guidance strikes me more like HSPD-12, representing something substantial that aims to revolutionize the perception of what's "good enough" in security controls.

For those who may doubt my enthusiasm, I provide this one argument: the SEC is essentially mandating that all public companies disclose how much money they spend to prevent cyberattack, how much money they spend responding to cyberattacks, and how much potential cyberattacks could impact financial viability. Never before has the information security community had the quality of data that it is about to receive, and never before have financial analysts been required to understand the impact of cybersecurity has on the bottom line to measure investment potential.

The SEC has done a pretty good job of forcing companies to consider cybersecurity as a metric for assessing business risk. Rather than being left to the geeks in the CIO's office, CEOs and CFOs will now need to start accounting for security dollars in the same way that they account for all other major expenditures. Here are some examples of how I see this playing out:

• Coke or KFC would need to report the money they spend to protect their intellectual property and trade secret formulas.
• RSA would need to report how much it has spent responding to the source code theft related to its SecurID product.
• Research in Motion, maker of the BlackBerry, would need to report how much it expects to spend in free apps and service credits to appease its users following the recent BlackBerry network outage.
• Sony would need to report how much it expects to spend defending itself from litigation due to recent attacks on its Playstation network.

What I really like about the new guidance is that it has nothing to do with technology and everything to do about business and risk. Having been "raised" in IT and security as the Internet blossomed in the 90s, I've witnessed the steady degradation of information security into the depths of a series of VHS vs. Beta debates, where everything becomes a matter of buzzword innovation and determining what technologies do security best. But, information security really has very little to do with technology. Sure, IT is an enabler (and disabler) of security, but it's business process that is at the root of information security problems and solutions. Ignore business objectives and you will fail to secure your business. Plain and simple. The new SEC guidance may represent a catalyst to spawn the next evolution in truly effective security.

Alas, there are some things that I really don't like about the new guidance that will likely limit its early effectiveness. Like the California disclosure law, SB 1386, and the Federal efforts that are based on it, the SEC guidance fails to set a basis for what companies should be doing to detect cybersecurity incidents. A company cannot disclose the costs of response without detecting something to respond to. Financial disclosure will aid a bit by allowing the public to compare costs across like companies, but multiple reporting periods will likely be needed to develop a consensus opinion on metrics for determining financial effectiveness in security control. There is also a potential loophole in how the guidance allows organizations to forego disclosure of "generic risk factors" that may be common to their industry. I could imagine some pretty broad interpretations of what could be considered common in many industries. The guidance also allows for non-disclosure in the event that disclosure itself could represent a risk to the business. I'll call this the "national security" or "patient safety" defense. When in doubt, just use the cop out that no one can really question.

I'll follow-up soon on what we suggest companies do now to begin preparing to comply with this guidance in 2012.

If you would like to comment on this or any of my other postings, you may look for it on Google+ or on LinkedIn and comment there. This helps counter SPAM and promotes intelligent discourse over anonymous rantings.