Navigating SEC Changes: Transparency vs. Noise in Cybersecurity Governance

The Securities and Exchange Commission’s (SEC) recent changes surrounding disclosure and transparency requirements has sparked debate among the cybersecurity community. This has ignited two conversations:

The first, that these requirements are beneficial because they incentivize organizations to be more accountable since the truth will come out in public filings.

The second, that creating more reports is creating more noise than signal and no amount of added disclosures will actually help people whose data is compromised.

Cybersecurity expert Bruce Schneier helps us explore the benefits and drawbacks both sides present for Chief Information Security Officers (CISOs).

Key points of the conversation:

Noise over signal.

The risk that too many reports will create too much noise will likely be mitigated by external organizations dedicated to interpreting data. For example, in the consumer space, organizations like Consumer Reports currently take seller data and use it to conduct independent experiments to signal what products buyers should consider purchasing.

Importance of Transparency in Corporations.

Advocates for transparency will highlight how additional disclosures and reports reduce power imbalances and let consumers make more informed decisions regarding who and what has access to their private data and how it is handled.

Policy Recommendations for Effective Regulation.

Effective regulation should provoke resistance from the entities it will regulate. If there isn’t resistance, in Schneier’s opinion, then the regulation isn’t doing enough to change the status quo. One example is the resistance airlines expressed toward regulations to disclose the true cost of airfare and associated fees before the buyer purchases the ticket.

The Role of FCC and Challenges in Enforcement.

The Federal Communications Commission (FCC) was created to force publicly traded companies to be more transparent to stakeholders. However, companies have also been able to figure out loopholes in some of the regulations. This is expected to continue even as regulations evolve.

Ethical Challenges for CISOs.

CISOs will continue to be the fulcrum that is balancing corporate objectives with their ethical responsibilities. Recent instances of CISOs facing repercussions or legal charges (such as with the uber case, which Schneier points out may not be great test case) will continue to raise questions about who is really accountable for the organizational framework where breaches happen.

Meet Bruce Schneier at RSAC

Here’s your chance to meet Bruce Schneier and get a free signed copy of his book, “A Hacker’s Mind” during our "Meet the Author" event at the 2024 RSA Conference in San Francisco on Tuesday, May 7.

FIRST: reserve your book at this link

THEN: Come get it signed by Bruce between 3:30 and 4:30 pm PST on Tuesday, May 7

WHERE: Gutsy's RSAC Booth 360 (South Expo Hall of the Moscone Center)

See you May 7th!

Full video transcript:

John

So the SEC has some recent changes around disclosure or that have really made a significant impact on probably the day-to-day job of your average CISO. Sometimes people argue that those requirements around increased transparency and accountability are beneficial because they basically incentivize the organization to be more accountable.

But you can also kind of argue the other side of that, which is sometimes when you have to make a lot of reports that ultimately you can create much more noise than signal and it's not really going to help the people whose data is, you know, potentially lost or compromised.

Bruce

I tend to be a big fan of transparency for corporations.

One, because it reduces the power of balance being corporations and the people they're serving.

And two, because the whole point of a market economy is intelligent buyers making intelligent, buying decisions. And the more the sellers can obscure the details of what they're selling, the less good the market works.

So I want a lot of transparency, I want a lot of information. And I'm actually not worried about signal versus noise because there are organizations that will interpret the data and, produce signal. In the consumer space, you have organizations like Consumer Reports that will take seller data and then do experiments and report out to buyers. Here's information you can use.

John

What are some recommendations that you might have from a policy standpoint to make such regulation more impactful and really result in the kind of data that'll be useful?

Bruce

I would propose a regulation and see how much the regulated scream. If they scream a lot, you're doing well. If they like it, it's useless and regulation is not going to work unless it really pisses off the companies being regulated because companies like it when they can hide things. I mean something as simple as getting airlines to disclose the true fare when people are comparing fares rather than at the last moment when they're buying.

Right. That seems like a no brainer. The airlines screamed. Of course they did. They're going to lose revenue here, but that's something that reduces the power imbalance, gives consumers more choice. Being better able to make buying decisions would result in a more functioning marketplace.

I want buyers to be able to make intelligent decisions, so they're going to need accurate information. In a sense. That's the whole point of the FCC. They're formed because companies were hiding bad financials and shareholders were getting screwed because they didn't know the true value of the companies they were buying. The FCC is created to force publicly traded companies to be more transparent, and the past bunch of decades has been FCC passing rules, companies figuring out how to get around them., It is cheaper to hide how bad you are than it is to fix it.

I mean, this is hard as a CISO. You work for the company and, you know, this is the way the market works. If you are sort of more ethical, then the absolute minimum, you'll be fired and replaced with a less ethical CISO is like any officer of the company, because that's the way the system works. That's what the market in a sense, the market does in is set morality.

And we in our industry have a history of CISOs quitting because their bosses won't let them do the right thing. We also, and this is new, have a history of CISOs being charged when a bad thing happens. And you know, this is dicey here because we don't know, is it the CISOs fault? Was it the environment that the CISOs being put in?

The Uber case was particularly egregious and I'm not sure it's a great test case, but that is making a lot of CISOs nervous and I think it should.

I like it when senior management is personally responsible for what goes on in their organizations. I mean, they are in position uniquely to shape how the organizations work and what the priorities are and having them on the hook for getting it wrong feels good to society.