In the past We’ve seen Uber’s former security chief convicted in federal court of mishandling a data breach, a federal regulator indicting SolarWinds’ security chief for allegedly misleading investors before its own cyberattack, and new regulations forcing companies to disclose public data breaches within four business days.
It may seem like it’s never been a riskier time to work in cybersecurity.
But one of the takeaways from a panel at the ShmooCon hacker conference in Washington, DC on Sunday is for those in cyberspace not to give up on challenges.
Now in its penultimate year, ShmooCon brings together hackers, researchers, government officials and cybersecurity executives to discuss some of the most pressing issues facing the security community. A common theme heard among attendees this year is the increasingly dangerous nature of work in the cybersecurity industry itself. The infosec community is no stranger to legal risks—perhaps an inherent byproduct of working in the field—but is increasingly aware of the increasing legal oversight and consequences that come with the work.
Leading the discussion, startup attorney Elizabeth Wharton, former SEC attorney Danette Edwards, and tech investor Cyndi Gula shared their perspectives and predictions on a panel that explored how the stakes of responsibility in cyberspace are shifting from the bottom line to the executive suite.
The SEC’s new cyber reporting rules were introduced last year, which now require companies to disclose “material” security incidents in public 8-K filings within four business days. The rules went into effect in December and have already led to a flurry of companies filing new data breach disclosures with the Securities and Exchange Commission in its wake, as companies figure out what a “material” impact means. It also saw the first instance of a ransomware gang using the rules to call out the hacked company itself for not filing with regulators.
“We’re going to see a lot of initial 8-K filings and then possibly multiple filings of the same cyber hacks,” Edwards, now a defense attorney and partner at the Katten law firm, said at ShmooCon.
Wharton, founder of Silver Key Strategies and who previously served on Atlanta’s ransomware incident response team, said cyber incidents can change hourly and may require subsequent disclosures.
“When you’re dealing with an incident and you’re still knee-deep in response four days in, you’ve identified, ‘oh, shoot, our bin’s on fire!’ but you haven’t even figured out what materials are necessary in the trash can as it burns — and you need to start reporting,” Wharton said. “Knowing that as things ebb and flow, public companies will have to update [those disclosures].”
The flip side of transparency combined with remote work is that more things than ever are recorded, recorded or otherwise stored and documented. This can be a boon for researchers and a headache for companies.
“I guess every email is going to be read either by your mother or in a deposition, or … in an SEC complaint, and it changes that water conversation,” Wharton said. “Since we’re not necessarily in offices, we make sure you don’t necessarily write it and the content gets lost in the meme you send to your co-workers because you thought it was hilarious.”
“And regulators don’t always have a great sense of humor,” Edwards said.
“Culture is integral to an organization — especially in what we do — because we have a lot of trust,” said Gula, managing partner of Gula Tech Adventures. “Companies are going to have a hard time bringing that culture with an eye that everything they do is going to be under control.”
Not only do the new cybersecurity reporting rules put companies and their data incidents in the spotlight, but recent federal enforcement actions show that cybersecurity executives are shouldering some of the blame as well.
In October, the Securities and Exchange Commission filed charges against SolarWinds CISO Timothy Brown for allegedly misleading investors about the company’s security prior to a cyberattack launched on the company by Russian spies in 2019. Many of the SEC’s charges come from comments Brown reportedly shared internally.
“We’ve also heard a lot of people don’t want to [to be CISO] because of that oversight and because of all these pitfalls that you don’t even know are ahead of time,” said Gula, who serves on the board of several startups. “Please do not move from this position. Please get up and do it.”
Along with that advice, Gula said documentation can also help. When executives need to make changes, fix defects, or improve cyber training, but receive plan or budget denials, ask, “Can I get this in writing?” Adding: “Whatever you can do to get that Eye of Sauron off of you so you can keep throwing the ring into the fire to put out what you have to do — that’s important.”
Zack Whittaker reports from ShmooCon in Washington, DC.
