On the heels of the Equifax breach, the United States Securities and Exchange Commission (SEC) disclosed on September 20, 2017, that it had been hacked way back in 2016. It further disclosed that about a month ago it learned the hackers may have used their access for illegal online trading. With the SEC’s regulatory enforcement role in investigating and bringing enforcement actions against companies that have had cybersecurity incidents combined with its recent exercise of that power to join the Federal Trade Commission in being a key regulatory over cybersecurity, many are taking umbrage.
This post has nothing to do with any of that.
On July 27, 2017, the U.S. Government Accountability Office (GAO) issued a report assessing the SEC’s cybersecurity posture and recommending that the SEC take specific actions to improve its cybersecurity. Effectively, a risk assessment. Now, in the wake of the SEC’s announcement, many are jumping on the “the SEC failed to act” bandwagon. As tempting as this bandwagon may be, as I thought more about it, I wondered whether this is good for cybersecurity as a whole? Is this a good thing to be focsing on?
As tempting as this bandwagon may be, as I thought more about it, I wondered whether this is good for cybersecurity as a whole, which led me to a couple of questions to consider:
- Do any of us really believe there is any organization in the United States or even the world, that is 100% cyber secure–that is, that has no vulnerabilities or areas for improvement?
- Do any of us really believe that our own organization is 100% cyber secure, having no vulnerabilities or areas for improvement?
- What is the first thing many experienced cybersecurity professionals are encouraging organizations to do when beginning the journey of developing and maturing their own cyber risk management program?
If you answered the last question with something to the effect of “start with a risk assessment” then you are correct.
So, if no company is 100% cyber secure and every organization should start with a risk assessment, doesn’t it stand to reason that every single organization in the world will have “warnings” that they must heed in the event they later have an incident?
And, when an organization does obtain a risk assessment, how many are able to implement every recommendation, immediately?
If it is virtually guaranteed that an organization obtaining a quality risk assessment will result in it receiving recommendations that it is unable to immediately implement, and such recommendations will later be used against it if it has an incident, does this encourage organizations to obtain a risk assessment?
What do you think? Does the “the SEC failed to act” bandwagon advance the overall cause of cybersecurity?