{"id":69179,"date":"2024-01-17T13:00:46","date_gmt":"2024-01-17T13:00:46","guid":{"rendered":"https:\/\/entertainment.runfyers.com\/index.php\/2024\/01\/17\/as-hacks-worsen-sec-turns-up-the-heat-on-cisos-techcrunch\/"},"modified":"2024-01-17T13:00:46","modified_gmt":"2024-01-17T13:00:46","slug":"as-hacks-worsen-sec-turns-up-the-heat-on-cisos-techcrunch","status":"publish","type":"post","link":"https:\/\/entertainment.runfyers.com\/index.php\/2024\/01\/17\/as-hacks-worsen-sec-turns-up-the-heat-on-cisos-techcrunch\/","title":{"rendered":"As hacks worsen, SEC turns up the heat on CISOs | TechCrunch"},"content":{"rendered":"


\n<\/p>\n

\n

Over the past<\/span> year we\u2019ve seen Uber\u2019s former chief security officer convicted in federal court<\/a> for mishandling a data breach, a federal regulator charge SolarWinds\u2019 security chief with allegedly misleading investors<\/a> prior to its own cyberattack, and new regulations that compel companies to publicly reveal materially impactful data breaches<\/a> within four business days.<\/p>\n

It might seem like it\u2019s never been a riskier time to work in cybersecurity.<\/p>\n

But a takeaway from one panel at the ShmooCon hacker conference in Washington DC on Sunday is for those in cybersecurity not to walk away from the challenges.<\/p>\n

Now in its penultimate year, ShmooCon brings together hackers, researchers, government officials and cybersecurity executives to discuss some of the most pressing issues facing the security community. A common theme heard among attendees this year is the increasingly risky nature of working in the cybersecurity industry itself. The infosec community is no stranger to legal risks \u2014 perhaps an inherent byproduct of working in the field<\/a> \u2014 but is becoming more aware of the mounting legal oversight and consequences that go with the work.<\/p>\n

Leading the discussion, startup lawyer Elizabeth Wharton, former SEC prosecutor Danette Edwards, and tech investor Cyndi Gula shared their perspectives and predictions in a panel that explored how the cyber-liability stakes are changing from the junior entry level positions all the way to the executive suite.<\/p>\n

\n
\n

Let the glow from past breach dumpster fires light the way to better data care & security practices. Thanks @cyndi_gula<\/a> & Danette for joining me at #shmoocon<\/a> discussing how to minimize risks of \u201cChief Information Sacked Officer\u201d and team pic.twitter.com\/pN8G24TQAh<\/a><\/p>\n

\u2014 Elizabeth Wharton (@LawyerLiz) January 15, 2024<\/a><\/p>\n<\/blockquote>\n<\/div>\n

Last year saw the introduction of the SEC\u2019s new cyber reporting rules that now require companies to disclose \u201cmaterial\u201d security incidents in public 8-K filings within four working days<\/a>. The rules took effect in December and have already resulted in a flurry of companies filing new data breach disclosures with the SEC in its wake as companies figure out what \u201cmaterial\u201d impact means. It also saw the first case of a ransomware gang using the rules to call out the very company it hacked for not filing with regulators<\/a>.<\/p>\n

\u201cWe\u2019re going to see a lot of initial 8-K reports, and then probably multiple reports reporting on the same cyber hacks,\u201d said Edwards, now a defense attorney and partner at law firm Katten, speaking at ShmooCon.<\/p>\n

Wharton, founder of Silver Key Strategies and who previously served on Atlanta\u2019s ransomware incident response team, said cyber incidents can change by the hour and can require subsequent disclosures.<\/p>\n

\u201cWhen you\u2019re dealing with an incident and you\u2019re still knee-deep in the response four days in, you\u2019ve identified, \u2018oh, shoot, our dumpster is on fire!\u2019 but you haven\u2019t even figured out what materials necessarily are in the dumpster as it\u2019s burning \u2014 and you\u2019ve got to start reporting,\u201d said Wharton \u201cKnowing that as stuff ebbs and flows, public companies are going to have to update [those disclosures].\u201d<\/p>\n

The flip side to transparency coupled with remote work is that more things than ever are written down, recorded, or otherwise saved and documented. That can be a boon for investigators and a headache for companies.<\/p>\n

\u201cI assume every email is going to be read either by your mother or in a deposition, or\u2026 in an SEC complaint, and it\u2019s shifting that watercooler talk,\u201d said Wharton. \u201cSince we\u2019re not necessarily in offices, it\u2019s making sure that you\u2019re not necessarily putting it in writing and context gets lost in the meme that you send your colleagues because you thought it was hilarious.\u201d<\/p>\n

\u201cAnd the regulator\u2019s don\u2019t always have a great sense of humor,\u201d said Edwards.<\/p>\n

\u201cCulture is integral to an organization \u2014 specifically in what we do \u2014 because we have a lot of trust,\u201d said Gula, managing partner at Gula Tech Adventures. \u201cCompanies are going to be struggling with bringing that culture with the eye that everything that they do is going to be under scrutiny.\u201d<\/p>\n

Not only are new cybersecurity reporting rules putting companies and their data incidents under the public spotlight, recent federal enforcement action shows cybersecurity executives are also shouldering some of the responsibility.<\/p>\n

In October, the SEC brought charges against SolarWinds CISO Timothy Brown<\/a> for allegedly misleading investors about the company\u2019s security prior to a cyberattack launched on the company by Russian spies in 2019. Much of the SEC\u2019s accusations stem from comments Brown allegedly shared internally<\/a>.<\/p>\n

\u201cWe have also been hearing lots of people don\u2019t want [to be CISO] because of this oversight and because of all of these traps that you don\u2019t even know are ahead of time,\u201d said Gula, who serves as board member of multiple startups. \u201cPlease don\u2019t walk away from that position. Please step up and do that.\u201d<\/p>\n

On that advice, Gula said documentation can also help. When executives have to effect change, patch flaws, or improve cybersecurity training but get plans or budget denied, ask: \u201cCan I get that in writing?\u201d Adding: \u201cWhatever you can do to take that Eye of Sauron off you, so you can continue to throw the ring in the fire to put out whatever you need to do \u2014 that\u2019s important.\u201d<\/p>\n

Zack Whittaker reporting from ShmooCon in Washington DC.<\/em><\/p>\n<\/p><\/div>\n