What can the cybersecurity world learn from the more established financial security world on how to approach regulation?
Sort by:
Well, and it gets us out of a lot of this faux compliance stuff because I have to define what's the material risk. And then I have to demonstrate that I'm managing it. And in so many cases we get so distracted from the material risk issues because a compliance regime wants me to peanut butter all this shit which costs me more time, more money, and more distraction, right? But the thing is sometimes it’s completely irrelevant to the risk issues that could harm your company and harm your customers.
That's where the hard part comes in though. Defining those risks and putting dollars and cents, and putting it down on paper, and getting executive leadership to sign off that that's what they agree to, that's the hardest part in my opinion.
Having been in finance a long time, countless people are constantly looking on how to actually steal money, move money. Even in internal operations, expense fraud. The salesperson wanting to have a higher ASP so that they get an accelerator. Everybody's always trying to game the financial system internally. But if you look at something like financial integrity, there's real pain to the shareholders and executives if they don't demonstrate a level of financial integrity in their reporting. From a data perspective there's no proof that there's any real shareholder impact because of a data breach other than temporary monetary loss caused by emotional selloff. And that's generally more exacerbated when it's an availability issue because it impacts revenue, right?
There's a bunch of great NIST stuff and things out there. But people don't necessarily implement it and then use it to deliver an outcome, right? Which is why I go, "How do we get an outcome that I'm accountable for as a CISO and chief security officer, and the other executives and the board are equally accountable for?” Not that you can eliminate risks. Just like you couldn't eliminate the potential for a financial integrity issue because of one bad apple or a couple of coordinated actors. But by and large, we haven't had any substantive financial integrity accounting issues in almost two decades now. And I go, there's something to be said about that. I hated Intel's Sarbanes-Oxley effort for all of the systems and application infrastructure. It was a royal pain. But you define your own key controls to manage material risk issues, right? Even though at the time, I was like, "It's not going to move the needle." In retrospect as I've thought about this, I'm like, "Maybe it did."
Yeah. I liked the idea, right? But I'm curious if... that worked because it's an internal piece. When you're talking about somebody poking at you constantly, the outcomes are the same, but are the controls a little different?
The controls are going to be completely different because of the context.
I can think of scenarios I've seen. You want to open a line of credit with the bank, pretty straightforward thing. And you're a startup company. And they ask you as part of the due diligence questions like, "Hey, do you have any employees or contractors based in the following places?" And if Ukraine pops up on the list, they'd be like, "Whoa, total showstopper. Where in Ukraine? Are they in Crimea?" And then you have to explain, "No, no, no, they are not in Crimea, they're in Kiev and this is all good." And something like that in the financial sort of money world in terms of banking can be a total showstopper. There should be similar requirements across the board for good information/cyber security controls and practices. There is a lot we can learn from FINSERV and other highly regulated industries about how to model cybersecurity standards.