Would a Sarbanes-Oxley type law requiring public companies to attest to their cybersecurity integrity be a good idea?
In a National Association of Corporate Directors survey of corporate directors across the US, 16 months ago, 61% said they'd compromise on cybersecurity for a business objective. It makes me wonder if we should have in essence a Sarbanes-Oxley type law that requires public companies to attest to their cybersecurity integrity. That would then create all the pressures for them. It would also make the role of the CISO, or CSO, or chief trust officer the equivalent of a general counsel and that could be disbarred in essence if they did certain things. Or the chief financial officer going to jail if there were financial integrity issues, or the CEO. At the same time, there should perhaps be a whistleblower statute that would protect the security team or the security leader from calling out the integrity issues and things.
So I think if we created some type of structure like that, with a kind of a cybersecurity integrity attestation as well as some level of whistleblower protection, we might then move the needle. We know what to do, but nothing's happened because you need teeth in it. If the teeth are just a fine, I'm going to kick the can down the road. Look at all the antitrust things that occur and all the other fines that people kick the can down. It needs to be, "You could go to prison." And it would then create a level of oversight and obtrusive oversight from maybe the FTC or something like that. Or they're in your shorts all the time which then further encumbers your business. So I don't know. That's at least mentally for me, I'm going, "If we did something like that, that might at a minimum start making more traction for us."
So Malcolm you're saying that we know what to do, but I'm not sure that they do know what to do. They're politicians and you can take all the negatives away and let's say they're all just shining examples of human beings, every single last one of them, right? They're still politicians. They don't have a background of an IT security or IT professional. They have gone in there, they know law, they know how to pass bills, they know how to do those pieces. Are the experts there, they can help them and are they willing to listen to those experts if that advice is given, right? So Malcolm, we could write the best list of, "This is what we think they should do." But do they give a rip? We need more attorneys and lawyers in the cybersecurity space. That's just so desperately needed. Somebody who has the deep expertise to be able to have these conversations around this stuff. Not just paper pushers, but the people who are embedded and ingrained in IT. And then they don't have to be hands on keyboard, but to understand what the cloud really is and all of these types of things.
Yes, lawyers with technical competency.
But using SoX as an example showed the Congress does not know how to create a regulation that works. Such a regulation would be best if it was self-enforced.
Overall, I think something akin to PCI would be a good idea.
Content you might like
Yes35%
Yes, but not enough, we want/need to ramp up39%
No19%
No, but I expect this will change soon6%
We provide company-wide training57%
We only train certain departments/roles32%
We have a targeted individual training approach.9%
I am unsure how we handle security training.3%
These discussions are taking place around Twitter, Google, Facebook, et cetera, and what they do, and how they manage information, how they use information. I mean, these are just continuous discussions that have been taking place for the entire existence of social media companies. We don't seem to be any closer really at the federal level, Congress and the administration, to figuring out how to build that basic framework of law and policy that covers the really fundamental things.
And then you see how hard it is even for really large private sector entities that have actual resources, that have resources and budgets, and people who know how to do cybersecurity and information security. How much they struggle. And that's challenging enough but all the medium and small enterprises that make up so much of the backbone of the actual US economy and global economy are just completely unable to even grasp, "What is it that I'm supposed to do just to secure myself?" And so we're just in such a challenging place I think, because of our inability to identify basic core standards and guidelines, and the likes. I think unless and until we start to get much more in the way of standards that come in a Sarbanes-Oxley-like form or SEC standards that actually have pain behind them in terms of non-compliance, so much of American society and the global society are just going to be like, "I know it's a problem. I know it's a risk, but I just don't know what to do."