Main image of article SEC Cybersecurity Regulations Will Require New Skills for Tech Pros

Following the May 2021 ransomware attack that targeted Colonial Pipeline—as well as several other well-publicized threats that happened during this same period—lawmakers tried passing new rules and regulations for enterprises concerning how and when they report these types of large-scale security incidents.

Federal agencies with oversight over businesses have also sought to create and implement updated rules for how companies disclose a cyber incident once it occurs. The U.S. Securities and Exchange Commission, for instance, is poised to finalize new regulations called the Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure for publicly traded firms.

These SEC rules, first proposed in March 2022 and expected to go into effect in a few months (perhaps as early as April) are designed to ensure additional transparency for companies’ boards of directors, such as documenting and publicizing which members have cybersecurity backgrounds. The regulations also want enterprises to disclose governance and risk processes and to report “material” cyber incidents within four business days.

Most of the SEC rules are aimed at improving company disclosures by requiring executives, board members and upper management to publish more information within their 8-K forms, which provide additional details to investors and the public. For industry experts, this added attention to cybersecurity and risk is long overdue.

“I see the steady rise and integration of cybersecurity into top-level policy as an indicator of the maturation of cyber risk from being both poorly understood and the exclusive domain of pure technologists, to being integrated as a core aspect of business risk management and a mandated topic for the boardroom,” Casey Ellis, founder and CTO at Bugcrowd, recently told Dice. “The SEC’s actions most clearly demonstrate this; their calls for cybersecurity expertise in the boardroom demonstrate that they view cybersecurity through the same lens as any other less recent or exotic risk, such as human resources, arbitrage and currency, and so on.”

The SEC regulations, however, will likely have significant effects on organizations beyond the boardroom and C-Suite. Those cyber and tech pros who oversee security will not only have to now respond to specific cyber incidents that target the network but convey that information up the chain to supervisors, managers and the executives who have to report to federal agencies. This will require additional skills and new attention to detail, experts noted.

How Will SEC Rules Affect Tech Pros’ Skills?

Cybersecurity requires a highly competent technical staff who can respond to incidents and understand the difference between what might be causing a false alarm and a certified threat to the infrastructure. Skills such as malware analysis, SOC analyst and incident response are at a premium.

The issue for many corporate cybersecurity teams is those skills don’t always translate into what executives and board members need to meet the SEC’s new rules and other developing regulations, said John Bambenek, principal threat hunter at security firm Netenrich.

“The problem is that the technical language doesn’t translate easily into business decisions, which is why for two decades we give the same talking points about selling cybersecurity to the board,” Bambenek told Dice. “The only difference is that now there is consensus that everything is on fire and something needs to be done.”

One way for organizations to respond is to identify tech and cyber pros who have a business background or have demonstrated a degree of leadership acumen. Once those tech pros are found, management needs to encourage these employees to continue developing those skills to bridge the gap between the technical and what is now required in terms of risk analysis, compliance and governance.

“Right now there really isn’t a cybersecurity MBA program, and until there is, the only training path is to grow your own,” Bambenek added. 

The SEC rules will also require day-to-day tech and cybersecurity specialists to become more familiar with regulatory compliance issues related to cyber-risk management, said Mike Parkin, senior technical engineer at Vulcan Cyber. This will require new skills and a fresh mindset for many tech pros.

“The ‘what needs to be done’ during an incident won't change much, but there will be changes to the reporting process and almost certainly some changes to priorities in risk management,” Parkin told Dice. “Whether it will require dedicated assets focused on dealing with compliance in this context remains to be seen, but for larger organizations, it may well be a complex enough challenge to dedicate the resources.”

While those in the tech trenches will need to upskill their management and communications skills, it’s important to remember executives and board members also need to polish their cybersecurity skills to understand how a security incident affects the entire organization.

“In keeping with their fiduciary duties and their proper role, directors don’t need to—and shouldn’t try to—function like CISOs,” David Kris, an advisor at Theon Technology, told Dice. “Instead, they need to have expertise in cyber policy and oversight, including understanding and mitigating cyber risk, reporting, compliance, structures and internal systems.”

Communication Skills Are Key

As the new SEC rules come into effect, Kurt Manske, managing principal at cybersecurity advisory firm Coalfire, noted that businesses should develop a cybersecurity checklist to help ensure compliance. This checklist includes specific mandates such as:
 

  • Understanding risks, impacts and risk responses
  • Reviewing, updating and enhancing cybersecurity policies and procedures
  • Executing comprehensive security awareness programs
  • Having a deep understanding of resiliency plans and practices
  • Testing resiliency
  • Taking Incident Response Programs (IRPs) to the next level
  • Testing your IRP
  • Getting your external incident reporting model ready

At the core of all this is communication: not only ensuring that tech and cybersecurity pros can relay highly technical information up the chain, but that board members and top executives are in touch with CISOs and their teams to understand cyber incidents and risks.

“Board members must have access to and relationships with cybersecurity experts within the organization,” Manske told Dice. “That way, when there is an urgent need for the board to weigh in on a cybersecurity situation, a relationship is already in place, and the discussions are more relevant and transparent. A cyber incident is not the time to build the bridge; that should occur long before difficult conversations take place.”