The discussion explores the complex dynamics between regulatory actions, cybersecurity practices, and the responsibilities of CISOs. It delves into the consequences of regulatory overreach on the industry and contrasts differing viewpoints on the role of the SEC in fostering or hindering collaboration and resilience in cybersecurity.

Here is the verbatim discussion:

Uh no no I don't think there's a wider net of culpability in fact um I think it's probably more narrow I think they've overextended a bit uh in their reach uh and their enforcement action and as I said I think it's going to there's a consequence of doing damage to the entire industry in uh reducing the incentive to share information early and share uh you know sensitive information with The Regulators overall and I think that's actually not helping resilience across Enterprises it's hurting resilience across Enterprises so um you know I think the any regulatory agency uh has to balance uh a relationship with the private sector recognizing that majority of critical infrastructure resides in the private sector uh and achieve a level of resilience um that is necessary uh means cooperation uh and collaboration and uh this doesn't this doesn't Foster collaboration or Co cooperation it uh actually constrains it going forward and that's not a healthy indication uh for the industry at whole well let me take an opposing view on that because the sec's mission what we pay our tax dollars for the SEC to accomplish is not to Foster SE um there has to be an intentional deceit on behalf of you in your capacity so okay so then second question same scenario if you were a shareholder right of solar winds at the time would you want to know as part of that disclosure because you have a right to be informed would you want to know that the management of your investment has known about attacks.

Highlights:

Regulatory Overreach and Its Consequences:

• The argument is made that the regulatory reach in the SolarWinds case may have been overextended, potentially harming the industry by reducing the incentive for early and transparent information sharing.
• Overzealous enforcement can damage resilience across enterprises by discouraging cooperation and collaboration between the private sector and regulatory agencies.

Balancing Regulation and Cooperation:

• Effective regulation should balance enforcement with fostering a cooperative relationship with the private sector, which holds the majority of critical infrastructure.
• The aim should be to enhance resilience through collaboration, rather than creating an environment of fear and reluctance to share critical information.

Opposing View on Regulatory Role:

• An opposing view highlights that the SEC’s primary mission is to protect investors and ensure fair and efficient markets, not necessarily to foster the cybersecurity industry.
• The SEC is tasked with enforcing regulations that ensure transparency and accountability, even if it means taking strict actions against companies and individuals who fail to disclose significant security breaches.

Shareholder Rights and Expectations:

• Shareholders have a right to be informed about significant security incidents affecting their investments.
• Timely and accurate disclosure of security breaches is crucial for maintaining investor trust and ensuring informed decision-making.

The conversation underscores the need for a balanced approach to cybersecurity regulation, one that promotes both accountability and collaboration. While regulatory agencies like the SEC have a duty to protect investors and enforce transparency, overly aggressive actions can undermine industry resilience and cooperation. CISOs and companies must navigate these dynamics carefully, ensuring that they meet regulatory requirements while fostering an environment of trust and collaboration to enhance overall cybersecurity resilience.

Speakers:

Jim Routh a board member, advisor and investor with specific expertise as a transformational security leader focused on applying risk management discipline to a converged security function for global enterprises to achieve enterprise resilience. Demonstrated track record of designing security control using innovation and data science to align senior executives to deliver world-class level security capabilities to drive positive business results in a digital world.

https://www.linkedin.com/in/jmrouth/

Micheal W. Reese Over 30 years’ experience in Information Technology serving in senior executive positions encompassing security, general operations management, project management, process change and development, business development as well as service and product management functions. A Cybersecurity Specialist, licensed as a Computer Forensics Investigator, Certified Information Systems Security Professional, Hacking Forensic Investigator and Fire and Explosion Investigator . Assisted both the DOJ and FBI on several matters, worked with High Tech Crime Units in Portland and Sacramento. Given expert witness testimony in hearings, depositions and at trial.

https://www.linkedin.com/in/michael-w-reese/

Matthew Rosenquist is a seasoned cybersecurity strategist and Chief Information Security Officer (CISO) with over three decades of experience. With a remarkable career at Intel Corporation spanning 24 years, he spearheaded key security initiatives, including establishing Intel's first Security Operations Center and leading cyber crisis response teams. As an influential figure in the industry, he currently serves as the CISO for Eclipz and advises numerous organizations worldwide on cybersecurity, emerging threats, privacy, and regulatory compliance. With a unique ability to bridge technical expertise with business acumen, Matthew is renowned for developing effective security strategies and enabling organizations to navigate complex cyber risks while optimizing security, privacy, and governance.

https://www.linkedin.com/in/matthewrosenquist
https://twitter.com/Matt_Rosenquist