Harvard Business Review (HBR) recently published an article that tackles the same topic as the latest Cyber Defenders Council report: cybersecurity regulation. The HBR article explores the complexities of incident reporting regulation, while the Cyber Defenders Council report delves into the pros and cons of cybersecurity accountability regulation.
To some, the impulse to require organizations to report security incidents, regardless of whether personal information was disclosed, seems misguided. Beyond enabling regulators to get a clearer sense of the cyber threat landscape and organizations’ overall cyber risk exposure, it’s unclear what the ultimate purpose of incident reporting regulation should be if it doesn’t require organizations to assure they have strong, proactive security postures.
REPORT: Bridging the Cyber-Business Divide: Will Regulation Reduce Risk and Improve Resilience?
DOWNLOAD
In contrast, the objective of cybersecurity accountability regulation would be to compel organizations to take meaningful action on cybersecurity. It would create shared accountability for cyber risk mitigation among top executives by requiring them to understand “significant deficiencies” and “material weaknesses” in their organization’s cybersecurity posture and to attest to the measures their organizations have in place to mitigate cyber risk.
The members of the Cyber Defenders Council understand that cybersecurity regulation of any kind is a sticky wicket, and certainly, they’re not unanimously in favor of accountability regulation. That’s why our report explores the pros, cons, and complexities of cybersecurity accountability regulation.
It’s critical to continue to raise these important questions, identify any potential unintended consequences, and start an intelligent conversation among cybersecurity leaders about the benefits and drawbacks of accountability regulation so that collectively, we can shape outcome-driven policies (or alternatives like voluntary standards) that serve to improve organizations’ cybersecurity postures in significant and tangible ways.
Your input as a security professional is essential. We invite you to share your thoughts on this topic and weigh in on the following questions in the comments below:
- Is accountability regulation for cybersecurity a good idea or a bad idea? Why?
- Which executives should be held accountable for cybersecurity due diligence and how?
- What should those executives reasonably be required to attest to?
- What unintended consequences should we strive to avoid?
CISOs and CSOs are already on the hook for cybersecurity, and are the first ones to take the fall for breaches–regardless of whether they fought for additional investments in people, processes, and technology.
Any cybersecurity accountability regulation should be carefully crafted to make the jobs of cybersecurity and other executives easier and more effective. Our goal is to create the necessary alignments within organizations between business leaders and security leaders to allow them to Defend Forward.