The discussion examines the multifaceted perspectives surrounding cybersecurity disclosures, focusing on the responsibilities of CISOs, expectations of shareholders, and the rights of customers. The conversation also explores how CISOs should adapt in light of recent high-profile security breaches, like the SolarWinds incident.

Here is the verbatim discussion:

It's because I'm I'm approaching this from different perspectives the ceso perspective the shareholder perspective if you were actually a customer right you had solar winds products installed in your system uh can we collectively agree that we would also want to be inform from our vendor that yes um not only were they hacked but they knew of this situation and there were other customers that going back six months uh you know as as a customer of theirs I I I assume we would want to know uh that information and if that has to be revealed in an A so be it but is there any disagreement that as a customer they were probably expecting to be informed uh prior or at least with complete information here right it sounds like this is a precedent it sounds like a message is being sent whether it's direct or indirect and it's going to be concerning to see we've already seen that and it's probably going to shape future cesos so my question and and and Michael I want to start with you here how should cisos today adapt and again the case isn't decided there is no conviction innocent till proven guilty but from the perspective of what we're seeing in the news and what we're all discussing as a community how should cisos start to adapt your thoughts yeah it's a game Cher it really is um and we can say oh no we kind of saw some of this happening and the cesos you know they want to se at the table we're going to give them that it changes the direction of what a ciso is going to be responsible for and I think Jim had a great point you know he's working right now with a company they look at Verso you had two.

Highlights:

Customer Expectations:

• Customers expect to be informed if their vendor, like SolarWinds, experiences a security breach. They want to know the extent of the breach and any previous incidents, especially if these have been known for months.
• Full disclosure is essential for customers to assess the risks and take necessary actions to protect their own systems.

Precedent and Future Implications:

• The handling of the SolarWinds case sets a precedent for future cybersecurity disclosures. It sends a message to the industry about the importance of transparency and accountability.
• This precedent will likely influence how CISOs and companies handle similar situations moving forward.

Adapting CISO Responsibilities:

• CISOs must adapt to the increasing expectations for transparency and accountability. They need to ensure that their companies are proactive in disclosing security incidents to customers and shareholders.
• The role of the CISO is becoming more integral to corporate governance, requiring a seat at the executive table to influence decision-making and resource allocation for cybersecurity.

Case Study: SolarWinds Breach:

• The SolarWinds incident highlights the need for CISOs to be prepared for legal and ethical scrutiny. They must document and communicate security issues promptly and accurately.
• CISOs must work closely with legal, executive leadership, and communication teams to ensure coherent and comprehensive disclosure strategies.

The conversation emphasizes the critical need for CISOs to adapt to the evolving landscape of cybersecurity expectations. Customers and shareholders demand transparency and timely information about security breaches. The SolarWinds case serves as a significant precedent, underscoring the importance of ethical behavior, clear communication, and proactive measures in cybersecurity management. CISOs must be prepared to meet these challenges and take on a more prominent role in their organizations to ensure trust and integrity.

Speakers:

Jim Routh a board member, advisor and investor with specific expertise as a transformational security leader focused on applying risk management discipline to a converged security function for global enterprises to achieve enterprise resilience. Demonstrated track record of designing security control using innovation and data science to align senior executives to deliver world-class level security capabilities to drive positive business results in a digital world.

https://www.linkedin.com/in/jmrouth/

Micheal W. Reese Over 30 years’ experience in Information Technology serving in senior executive positions encompassing security, general operations management, project management, process change and development, business development as well as service and product management functions. A Cybersecurity Specialist, licensed as a Computer Forensics Investigator, Certified Information Systems Security Professional, Hacking Forensic Investigator and Fire and Explosion Investigator . Assisted both the DOJ and FBI on several matters, worked with High Tech Crime Units in Portland and Sacramento. Given expert witness testimony in hearings, depositions and at trial.

https://www.linkedin.com/in/michael-w-reese/

Matthew Rosenquist is a seasoned cybersecurity strategist and Chief Information Security Officer (CISO) with over three decades of experience. With a remarkable career at Intel Corporation spanning 24 years, he spearheaded key security initiatives, including establishing Intel's first Security Operations Center and leading cyber crisis response teams. As an influential figure in the industry, he currently serves as the CISO for Eclipz and advises numerous organizations worldwide on cybersecurity, emerging threats, privacy, and regulatory compliance. With a unique ability to bridge technical expertise with business acumen, Matthew is renowned for developing effective security strategies and enabling organizations to navigate complex cyber risks while optimizing security, privacy, and governance.

https://www.linkedin.com/in/matthewrosenquist
https://twitter.com/Matt_Rosenquist