Transparency and Risk Management in Cybersecurity: CISO Perspectives By Matthew Rosenquist ,Jim Routh and  Micheal W. Reese

The discussion focuses on the ethical and practical considerations for CISOs when disclosing cybersecurity incidents. The conversation examines the role of intent, the responsibilities of corporate leadership, and the expectations of shareholders in the context of significant security breaches like the SolarWinds incident.

 

 

Here is the verbatim discussion:

Answer I'm fine with that but my first question and um Michael I'll start off with you if you were the ceso in that situation right would you fill out the 8K SEC form and choose to Omit that important information to the shareholders the fact that you had seen this attack other customers going back six months would you omit that I would not omit that and and I think one of the other problems to that is if you if you read on this the 15th item it's admitted that he knew it was omitted and made a comment to somebody else well I just lied in quotes um that doesn't help the case and I I get that's where when Jim was talking about intent right if if you're going to be the bad guy there has to be intent to what you're doing this is where I look at hey there could be some intent right here if you just take it for for face value again I haven't seen the other side you're saying one side of the story um and we don't know if all if that's Jim yeah what I would want as a shareholder is for the uh company that's in this case a software company to recognize that software supply chain poisoning which is the net effect and impact on Enterprises uh is probably the number one risk to the Enterprise from a cyber security standpoint and therefore um the the right attention right level of resource allocation and right level of uh practice needs to be put in place uh as part of a response to ultimately the first indication of a of an incident or a you know a breach uh and so what I would want to see as a shareholder perspective is actually the response to the event and what Lessons Learned are being applied to Improvement and practice going forward to reduce the probability of similar events in the future simply because Supply software supply chain poisoning is absolutely critical to uh any software company uh and certainly solar winds that you know sells a lot of Frontline protective uh capabilities from a network perspective uh to their customers uh they uh their customers deserve um you know to know what the response was and what the uh proactive steps to reduce the probability of that happening in the future are and that's actually more important than the actual incident information is is to know what the response is and that's reasonable I think from a investor standpoint as well as a customer.

 

Highlights:

 

Ethical Disclosure:

  • The CISO should not omit critical information when filing a Form 8-K disclosure with the SEC. Transparency is crucial, especially when prior attacks on other customers have been identified.
  • Intentionally omitting information or lying can imply intent, complicating the situation legally and ethically.

Shareholder Expectations:

  • Shareholders expect the company to be transparent about security incidents and the steps taken in response.
  • The focus should be on the company's response, resource allocation, and the implementation of practices to prevent future incidents.

Case Study: SolarWinds Breach:

  • The SolarWinds incident underscores the critical nature of software supply chain security.
  • Shareholders and customers deserve to know how the company responds to breaches and what measures are in place to reduce future risks.

Intent and Accountability::

  • The admission of intentional omission or lying, as suggested in the case, highlights the importance of intent in legal and ethical considerations.
  • The CISO and other executives must collaborate to ensure accurate and timely disclosures.

 

The conversation emphasizes the importance of ethical behavior and transparency for CISOs when handling cybersecurity incidents. Shareholders and customers expect not only to be informed about breaches but also to understand the company's response and proactive measures. The SolarWinds breach serves as a reminder of the significance of software supply chain security and the need for robust incident response protocols.

 

Speakers:

Jim Routh a board member, advisor and investor with specific expertise as a transformational security leader focused on applying risk management discipline to a converged security function for global enterprises to achieve enterprise resilience. Demonstrated track record of designing security control using innovation and data science to align senior executives to deliver world-class level security capabilities to drive positive business results in a digital world.

https://www.linkedin.com/in/jmrouth/

 

Micheal W. Reese Over 30 years’ experience in Information Technology serving in senior executive positions encompassing security, general operations management, project management, process change and development, business development as well as service and product management functions. A Cybersecurity Specialist, licensed as a Computer Forensics Investigator, Certified Information Systems Security Professional, Hacking Forensic Investigator and Fire and Explosion Investigator . Assisted both the DOJ and FBI on several matters, worked with High Tech Crime Units in Portland and Sacramento. Given expert witness testimony in hearings, depositions and at trial.

 

https://www.linkedin.com/in/michael-w-reese/

 

Matthew Rosenquist is a seasoned cybersecurity strategist and Chief Information Security Officer (CISO) with over three decades of experience. With a remarkable career at Intel Corporation spanning 24 years, he spearheaded key security initiatives, including establishing Intel's first Security Operations Center and leading cyber crisis response teams. As an influential figure in the industry, he currently serves as the CISO for Eclipz and advises numerous organizations worldwide on cybersecurity, emerging threats, privacy, and regulatory compliance. With a unique ability to bridge technical expertise with business acumen, Matthew is renowned for developing effective security strategies and enabling organizations to navigate complex cyber risks while optimizing security, privacy, and governance.

 

https://www.linkedin.com/in/matthewrosenquist
https://twitter.com/Matt_Rosenquist

E-mail me when people leave their comments –

You need to be a member of CISO Platform to add comments!

Join CISO Platform