Shrinking Time – Everything Speeds Up
The digital era is characterized by one incontrovertible truth: change. Whether it’s the rapid advancements in artificial intelligence, the startling discovery of new security vulnerabilities, or the swift release of patches to mitigate those threats, the pace of change in IT is relentless.
Keeping Up with the Pace
For those in the field, it’s exhilarating to witness such progress. That is, as long as you and your organization can keep up.
Unfortunately, we know all too well that organizations are struggling with timely patching, despite compliance requirements mandating 30-day – and in some cases 14-day – timeframes for patching known vulnerabilities. It’s an alarming truth that illustrates a growing concern within the cybersecurity landscape.
Furthermore, it’s becoming clear that it is humanly impossible to keep up with the constant flood of information about cybersecurity and new exploits. The industry is turning to automation to handle the onslaught, but even this solution is not without its challenges.
New Rules on the Horizon
Stricter regulations are emerging, particularly from the Securities and Exchange Commission (SEC). We’ve previously discussed the SEC’s approach to assigning responsibility in situations where “best practices” were not followed. Now, they’re taking things a step further.
Starting later this August, organizations will have to file specific information about cybersecurity incidents they have been subject to, including any “material cybersecurity incident” they experience within four days. They will also need to divulge yearly aggregated information on cybersecurity risk management, strategy, and governance.
If you recall, mandatory cybersecurity information disclosure around incidents has been on the radar since early last year, when the White House announced new regulations in such situations. These latest SEC rules just drive the point further home.
On July 26, 2023, the SEC announced that it had “adopted rules requiring registrants to disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance.” This will go into effect 30 days from the date of publication.
The logic behind this decision is a tentative approach to incident disclosure akin to what already exists in situations such as production disruption, natural disasters and other events that may directly impact a company’s valuation or market stance.
Better late than never seems topically appropriate for these new rules. For years we’ve witnessed multiple million-dollar incidents across all industries and with companies of all sizes. Just recently, Western Digital shut down its cloud infrastructure as a result of a hacking incident it experienced. It is obvious that these incidents can, and do have, a direct impact on the bottom line.
There is, however, much yet to be clearly identified. Experiencing a cybersecurity incident can be anything from a phishing attempt to a successful breach that goes undetected for months, depending on how you approach security. Exposing an IP address on the Internet attracts malicious bots within minutes. If all of those have to be reported, this is more than likely overwhelming for any IT team. If the bar is raised to consider just unintended information disclosure or data theft, then it gives some wiggle room for companies to skirt the regulation, by simply claiming that they are not aware of any such information having been leaked – which can hold true until proven otherwise, for much longer than four days.
These new regulations signal a turning point in how organizations handle cybersecurity. Compliance will no longer be a suggestion, but a stringent requirement. The growing complexities and responsibilities placed on companies will undoubtedly add to the burden of keeping up with the fast-paced world of IT.
However, the overarching goal is clear: to ensure transparency and responsibility in an environment where the stakes are continuously escalating. The shrinking time frame to respond to vulnerabilities, assess risks, and enact best practices is both a challenge and an opportunity.
Organizations must seize this moment to refine their cybersecurity strategies and align with these new standards. The future of cybersecurity depends on our ability to adapt, innovate, and maintain the highest levels of integrity and vigilance. In the end, the effort will not only protect individual organizations but also fortify the broader ecosystem against ever-evolving cyber threats.