#governance – 370 Security Blog

When Evaluating A New CISO Role Don’t Forget The SEC 10-K And Other Governance Forms

When evaluating a new CISO role it is common to do research on the company, industry, product line, etc., but an area that is often overlooked are SEC filings like the SEC Form 10-K and board committee charters. SEC filings and committee charters can offer a wealth of information about how a company views and governs key issues like cybersecurity and risk. In this post I’ll cover where to find key information, red flags to watch out for and other useful information that can be discussion topics during the interview process.

Finding The Right Forms

If you are new to reviewing SEC filings and corporate governance documents there are a number of places to find documents about corporate governance and how the company strategically views cybersecurity and risk. These documents will provide insight into who you may need to influence in order to execute a successful security program and it will also give you an implicit understanding of the priority the company assigns to cybersecurity issues. The two best places to find relevant forms are on SEC.gov (Edgar) or on the company’s own investor relations website.

SEC Forms

The most common SEC forms you will want to review when preparing for a new CISO role are the SEC Forms 10-K, 10-Q and 8-K.

10-K: The SEC Form 10-K is a comprehensive annual report filed by public companies. It has a wealth of information such as their financials, how they view the market, executive compensation and more. When considering a new CISO role definitely check out section 1 and 1A. Section 1 covers an overview of the business and section 1A covers macro risk factors (you may be asked to help mitigate these risks). Section 1 may also specifically call out cybersecurity governance and have details on the reporting structure, responsibilities, experience and methods for governing cybersecurity at the company. Also check out section 7, which will detail how management describes the company and can also have details on recent acquisitions or restructuring activities, which could continue to present a risk to the business.
10-Q: The SEC Form 10-Q is a comprehensive quarterly report filed by the public company. This will detail their quarterly results and will also provide any updates or changes to the sections I listed above – mainly section 1, 1A and section 7. Most of the time there won’t be any updates to these sections and they will refer back to the 10K, but it is still good to review the latest 10-Q available.
8-K: The SEC Form 8-K is a form companies must file to notify investors of major events. The biggest thing CISO candidates will want to review is if the company has had any material cybersecurity or operational incidents. However, if the company deems an event isn’t material it may not be in the 8-K and so it is a good idea to do a web search of the company as well.
Committee Charter Docs: The last set of documents to review are the committee charter documents. This will tell you how the board is structured, which can give you insights into what to expect if you take the role and give periodic updates to the board. The committee charter documents will also outline how they govern cybersecurity, risk and technology and the committee charter documents can give you implicit insight into how the company views the role of the CSO / CISO and cybersecurity.

How Should Cybersecurity Be Governed?

When reviewing the governance and committee documents of a public company, you may find cybersecurity discussed in different places. You should review these documents and also consider discussing cybersecurity governance during the interview process.

Audit committee

The audit committee is the most common committee to govern cybersecurity and risk at a public company. The challenge with placing cybersecurity and risk in the audit committee is the primary function of that committee is financial accuracy and integrity. Cybersecurity and risk are typically listed as “other functions”, which runs the risk of it not having the same priority as financial activities and the committee members may not have the right expertise to govern these functions. The typical executive experience of an audit committee member can be CEO, CFO or COO and these individuals typically aren’t experts in cybersecurity or risk. It isn’t the end of the world, but as a CISO candidate you should review the backgrounds of the audit committee board members and ask how they interact with existing C-Level executives when discussing cybersecurity, technology and risk. You may even want to ask to interview with one of the committee members before taking the job. The main goal is to make sure you are going to get the consideration, prioritization and support you need.

Tech and cyber committee

Aside from the audit committee, the other committee that governs cybersecurity and risk is the technology and cyber committee. However, the existence of this committee is currently non-standard at public companies even though it is considered best practice for corporate governance. If the company you are interviewing has a technology and cybersecurity committee consider yourself fortunate, but you should still do your own due diligence by researching the existing committee members and their backgrounds. Consider requesting an interview with one of these committee members (if it isn’t part of the interview process) to get their perspective on cybersecurity governance and issues at the company.

The challenge with placing cybersecurity and risk in the audit committee is the primary function of that committee is financial accuracy and integrity.

Other Cybersecurity Governance Aspects To Consider

There are a few other aspects to consider when reviewing corporate governance documents. These other areas can give you valuable insight into what is expected of you if and when you assume the role of CISO at the company. First, I recommend covering materiality during the interview process. Ask if the company has a process and if possible discuss their criteria for determining materiality of a security incident. Second, review and assess how often the board committee responsible for cybersecurity meets. This can give you an idea of how often you will be expected to present to the board and may even give you an idea of the topics that are discussed.

Red Flags

The whole point of reviewing these documents is to help you make an informed decision about what you are walking into if you take the role. There are few red flags you should look out for in these documents that should definitely be discussed during the interview to make sure you are clear on your role and expectations. These red flags may also help you when negotiating for things like severance, inclusion in the D&O liability policy or other concessions.

10-K & 10-Q

Remember, the 10-K and 10-Q will have a section on risks and the company may specifically call out cybersecurity risk as a macro issue they are concerned about. However, one red flag I would bring up for discussion is does the company address how they plan to manage these risks? Something as simple as “we plan to discuss and manage these risks inline with business priorities and expectations to minimize their impact” indicates they have at least given it some thought. Even better, if the company has a detailed section on risk and risk management that addresses how they plan to govern the company to address these risks. If the 10-K and 10-Q just list the risks, it may be an indication the company is paying lip service to cybersecurity or it could mean they are waiting for the right candidate to come in and develop a plan.

Experience Of Committee Board Members

Another potential red flag is the background and experience of the board members for the committee that governs cybersecurity and technology risk. Review their background, how long they have been serving on the board and when they are up for re-election. If the committee members have a strong technology or cybersecurity background you can expect to find an ally in the board room. If the committee members haven’t been technology executives you may find you have to change your message or do some education when reporting to the board. The SEC has indicated cybersecurity experience is necessary for the board to effectively govern risks, so if there isn’t clear experience, it is something to bring up in the interview for how and when the company is planning to address the experience gap.

Cybersecurity As Part Of The Audit Committee

I previously mentioned most public companies have cybersecurity listed as an additional function of the audit committee. This can be a red flag if the board doesn’t have committee members with technology experience, but can also be a red flag if the company views the CISO role and security program as more of a compliance function. The view of the board will be directly related to how much funding and support you are able to get from the rest of the company like the CEO and CFO.

Having cybersecurity and risk as part of the audit committee can also lead to a disconnect from the main security program. For example, if the audit committee treats security more as a compliance function, they may request a group that reports directly to them that audits the effectiveness of the corporate security program. This can lead to duplication of effort, cross purposes and mixed messaging at the board level. It can also undermine the authority of the CISO if the board is independently dictating security actions to the company outside of the main security program. However, having cybersecurity as part of the audit committee isn’t the end of the world and can actually lead to support from the board, but it will require additional effort and relationship management to make sure the board is supporting your program effectively. These are all topics you will want to explore during your interview.

Other SEC Filings

There are a few other areas you should review when conducting research for a new CISO position. I highly recommend reviewing recent 8-K filings and conducting internet searches to see if the company has reported any recent security incidents or breaches. If they have, you may be walking into a situation where they need immediate help to get back to a good state, but that support may wane after the urgency of the situation dies down. If you are considering taking a role that is walking into a post incident situation, be really clear on expectations and success criteria and try to build those into your employment contract.

The other area I recommend reviewing is recent or ongoing M&A activity. This will be listed in the 10-K or 10-Q filings for the company and it can give you some insight into what you may be walking into as a CSO / CISO. M&A activity is notorious for “closing the deal” and then sorting everything out later. As a CISO this means you could be inheriting a heterogenous security program or you may have to spend a significant amount of time up-leveling the acquisition to meet the standards of the rest of the company. There may even be extensive integration, standardization, etc. that needs to be completed. All of these are risks that you should be aware of when walking into a new CISO role.

Wrapping Up

When evaluating a new CISO role for a public company I recommend thoroughly researching the company as part of your evaluation process for the role. Familiarize yourself with their business model, the latest news articles, key members of the executive staff, board members and financial statements. If you have a strong CISO network I recommend reaching out to them and getting their perspective on the position. However, overlooked areas of research are the public company filings with the SEC and other investor relations documents that can give you more perspective on the company. It is particularly important to review these documents to get an idea of how the company governs cybersecurity and risk. These documents will also highlight potential red flags and discussion topics to explore during your interview. Thoroughly researching the company and the role will not only help prepare you for the interview process, but can also give you insight into how other public companies govern these issues so you can compare with your current position and make the best decision possible for your career.

Resources

SEC Search

DDN Discussion Of Cybersecurity Governance

If Data Is Our Most Valuable Asset, Why Aren’t We Treating It That Way?

There have been several high profile data breaches and ransomware attacks in the news lately and the common theme between all of them has been the disclosure (or threat of disclosure) of customer data. The after effects of a data breach or ransomware attack are far reaching and typically include loss of customer trust, refunds or credits to customer accounts, class action lawsuits, increased cyber insurance premiums, loss of cyber insurance coverage, increased regulatory oversight and fines. The total cost of these after effects far outweigh the cost of implementing proactive security controls like proper business continuity planning, disaster recovery (BCP/DR) and data governance, which begs the question – if data is our most valuable asset, why aren’t we treating it that way?

The Landscape Has Shifted

Over two decades ago, the rise of free consumer cloud services, like the ones provided by Google and Microsoft, ushered in the era of mass data collection in exchange for free services. Fast forward to today, the volume of data growth and the value of that data has skyrocketed as companies have shifted to become digital first or mine that data for advertising purposes and other business insights. The proliferation of AI has also ushered in a new data gold rush as companies strive to train their LLMs on bigger and bigger data sets. While the value of data has increased for companies, it has also become a lucrative attack vector for threat actors in the form of data breaches or ransomware attacks.

The biggest problem with business models that monetize data is: security controls and data governance haven’t kept pace with the value of the data. If your company has been around for more than a few years chances are you have a lot of data, but data governance and data security has been an afterthought. The biggest problem with bolting on security controls and data governance after the fact is it is hard to reign in pandoras box. This is also compounded by the fact that it is hard to put a quantitative value on data, and re-architecting data flows is seen as a sunk cost to the business. The rest of the business may find it difficult to understand the need to rearchitect their entire business IT operations since there isn’t an immediate and tangible business benefit.

Finally, increased global regulation is changing how data can be collected and governed. Data collection is shifting from requiring consumers to opt-out to requiring them to explicitly opt-in. This means consumers and users (an their associated data) will no longer be the presumptive product of these free services without their explicit consent. Typically, increased regulation also comes with specific requirements for data security, data governance and even data sovereignty. Companies that don’t have robust data security and data governance are already behind the curve.

False Sense Of Security

In addition to increased regulation and a shifting business landscape, the technology for protecting data really hasn’t changed in the past three decades. However, few companies implement effective security controls on their data (as we continue to see in data breach notifications and ransomware attacks). A common technology used to protect data is encryption at rest and encryption in transit (TLS), but these technologies are insufficient to protect data from anything except physical theft and network snooping (MITM). Both provide a false sense of security related to data protection.

Furthermore, common regulatory compliance audits don’t sufficiently specify protection of data throughout the data lifecycle beyond encryption at rest, encryption in transit and access controls. Passing these compliance audits can give a company a false sense of security that they are sufficiently protecting their data, when the opposite is true.

Just because you passed your compliance audit, doesn’t mean you are good to go from a data security and governance perspective.

Embrace Best Practices

Businesses can get ahead of this problem to make data breaches and ransomware attacks a non-event by implementing effective data security controls and data governance, including BCP/DR. Here are some of my recommendations for protecting your most valuable asset:

Stop Storing and Working On Plain Text Data

Sounds simple, but this will require significant changes to business processes and technology. The premise is the second data hits your control it should be encrypted and never, ever, unencrypted. This means data will be protected even if an attacker accesses the data store, but it also will mean the business will need to figure out how to modify their operations to work on encrypted data. Recent technologies such as homomorphic encryption have been introduced to solve these challenges, but even simpler activities like tokenizing the data can be an effective solution. Businesses can go one step further and create a unique cryptographic key for every “unique” customer. This would allow for simpler data governance, such as deletion of data.

Be Ruthless With Data Governance

Storage is cheap and it is easy to collect data. As a result companies are becoming digital data hoarders. However, to truly protect your business you need to ruthlessly govern your data. Data governance policies need to be established and technically implemented before any production data touches the business. These policies need to be reviewed regularly and data should be purged the second it is no longer needed. A comprehensive data inventory should be a fundamental part of your security and privacy program so you know where the data is, who owns it and where the data is in the data lifecycle.

The biggest problem with business models that monetize data is: security controls and data governance haven’t kept pace with the value of the data.

Ruthlessly governing data can have a number of benefits to the business. First, it will help control data storage costs. Second, it will minimize the impact of a data breach or ransomware attack to the explicit time period you have kept data. Lastly, it can protect the business from liability and lawsuits by demonstrating the data is properly protected, governed and/or deleted. (You can’t disclose what doesn’t exist).

Implement An Effective BCP/DR and BIA Program

Conducting a proper Business Impact Analysis (BIA) of your data should be table stakes for every business. Your BIA should include what data you have, where it is and most importantly, what would happen if this data wasn’t available? Building on top of the BIA should be a comprehensive BCP/DR plan that appropriately tiers and backs up data to support your uptime objectives. However, it seems like companies are still relying on untested BCP/DR plans or worse solely relying on single cloud regions for data availability.

Every BCP/DR plan should include a write once, read many (WORM) backup of critical data that is encrypted at the object or data layer. Create WORM backups to support your RTO and RPO and manage the backups according to your data governance plan. Having a WORM backup will prevent ransomware attacks from being able to encrypt the data and if there is a data breach it will be meaningless because the data is encrypted. BCP / DR plans should be regularly tested (up to full business failover) and security teams need to be involved in the creation of BCP/DR plans to make sure the data will have the confidentiality, integrity and availability when needed.

Don’t Rely On Regulatory Compliance Activities As Your Sole Benchmark

My last recommendation for any business is – just because you passed your compliance audit, doesn’t mean you are good to go from a data security and governance perspective. Compliance audits exist as standards for specific industries to establish a minimum bar for security. Compliance standards can be watered down due to industry feedback, lobbying or legal challenges and a well designed security program should be more comprehensive than any compliance audit. Furthermore, compliance audits are typically tailored to specific products and services, have specific scopes and limited time frames. If you design your security program to properly manage the risks to the business, including data security and data governance, you should have no issues passing a compliance audit that assesses these aspects.

Wrapping Up

Every business needs to have proper data security and data governance as part of a comprehensive security program. Data should never be stored in plain text and it should be ruthlessly governed so it is deleted the second it is no longer needed. BCP/DR plans should be regularly tested to simulate data loss, ransomware attacks or other impacts to data and, while compliance audits are necessary, they should not be the sole benchmark for how you measure the effectiveness of your security program. Proper data protection and governance will make ransomware and data breaches a thing of the past, but this will only happen if businesses stop treating data as a commodity and start treating it as their most valuable asset.

What’s The Relationship Between Security Governance and Organizational Maturity?

Organizational and security governance is touted as a key component of any successful security program. However, I’ve been thinking about governance lately and how it relates to the overall maturity of an organization. This has prompted some questions such as: what happens if you have too much governance? and What’s the relationship between security governance and organizational maturity?

What Is Governance?

First, let’s talk about what governance is.

Governance is the process by which an organization defines, implements and controls the business.

Let’s unpack what this means for a security organization. The process of defining security for the business is done through policies, standards and guidelines. Security policies are requirements the business must meet based on laws, regulations or best practices adopted by the business. These policies align to business objectives. Implementation is done through security controls that are put in place to meet a specific policy or to manage a risk. Lastly, controlling the business is done via audits and compliance checks. The security org follows up on how well the business is following policies, implementing controls and managing risk. Control can also include enforcement, which can involve gating processes, such as requiring approval for business critical and high risk activities, or recommending additional security requirements for the business to manage a risk.

Why Do We Need Governance At All?

In an ideal world we wouldn’t. Imagine a business that is created entirely of clones of yourself. There would be implicit and explicit trust between you and your other selves to do what is best for the business. Communication would be simple and you would already be aligned. In this case you don’t need a lot (or any) governance because you can trust yourself to do the things. However, unless you are Michael Keaton in Multiplicity, this just isn’t a reality.

Governance achieves a few things for a business. First, it communicates what is required of its employees and aligns those employees to common objectives. Second, it helps employees prioritize activities. None of this would be needed if human’s weren’t so complex with diverse backgrounds, experiences, perspectives, education, etc. In an ideal world we wouldn’t need any governance at all. The reality is, we do need governance, but it needs to be balanced so it doesn’t unnecessarily impede the business.

How Does This Relate To Organizational Maturity?

Organizational maturity refers to how your employees are able to execute their tasks to achieve the objectives of the business. This relates to things like the quality of code, how quickly teams resolve operational issues or how efficiently they perform a series of tasks. It can be loosely thought of as efficiency, but I actually think it combines efficiency with professionalism and integrity. Maturity is knowing what good is and being able to execute efficiently to get there. There is a fantastic book about this topic called Accelerate: The Science of Lean Software and DevOps: Building High Performing Technology Organizations by Nicole Forsgren PhD.

Which brings us to the relationship of governance and maturity…

There is an inverse relationship between organizational maturity and organizational governance. In simple terms:

The less mature an organization, the more governance is needed.

For example, if your organization struggles to apply patches in a timely manner, continually introduces new code vulnerabilities into production or repeatedly demonstrates behavior that places the business at risk, then your organizational maturity is low. When organizational maturity is low, the business needs to put processes and controls in place to align employees and direct behavior to achieve the desired outcomes. In the examples above, increased governance is an attempt to manage risk because your employees are behaving in a way that lacks maturity and is placing the business at risk.

What causes low organizational maturity?

Organizational maturity is a reflection of employee behavior, skillset, knowledge, education and alignment. In other words, organizational maturity is a reflection of your organizational culture. In practical terms your employees may simply not know how to do something. They may not have experience with working for your type of business or in the industry you operate in. Perhaps they had a really bad boss at a past job and learned bad behavior. Whatever the reason, low organizational maturity is linked to lots of sub-optimal outcomes in business.

How To Improve Organizational Maturity?

If governance and maturity are inversely linked, the question becomes how can we increase organizational maturity so we need less governance? There are a lot of ways to increase organizational maturity. One that is fairly obvious is to start with a mature organization and maintain it over time. However, this is easier said than done and is why some organizations are fanatical about culture. This relates to everything from hiring to talent management and requires strong leadership at all levels of the company.

“The less mature an organization,
the more governance is needed.”

Other ways to improve organizational maturity are through training and education. This is why security awareness and training programs are so critical to a successful security program. Security awareness and training programs are literally attempting to improve organizational maturity through education.

One last way to improve maturity is via process. The security organization can establish a new process that all teams must follow. As teams go through this process you can educate them and reward teams that exhibit the ideal behavior by relaxing the process for them. You can also help teams educate themselves by publishing the requirements and making the process transparent. The challenge with imposing a new process is having the discipline to modify or remove the process when needed, which comes back to governance.

What’s the right level of governance?

The optimal level of governance is going to be based on your organizational maturity and desired business outcomes. In order to determine if you have too much or too little governance you need to measure organizational maturity and the effectiveness of existing organizational governance. There are industry standard processes for measuring organizational maturity, like the Capability Maturity Model Integration (CMMI) and Six Sigma, or you can create your own metrics. Some ways to measure governance effectiveness are:

Ask For Feedback On Security Processes – Are the processes effective? Do teams view them as an impediment or are they viewed favorably? Are the processes easy to navigate and objective or are they opaque and subjective?
Measure Effectiveness Of Security Controls – Are your security controls effective? If you ask a team to do work to implement a security control you should have clear metrics that determine if that control is effective. If you implement a control, but that control hasn’t changed the outcome, then the control is ineffective. This can indicate your governance is ineffective or your organizational maturity needs to improve.
Assess and Update Policy – Security policies should be living documents. They shouldn’t be set in stone. Security policies need to map back to laws and regulations they support and the business requirements needed to be successful. Laws, regulations and business requirements all change over time and so should your security policies. By having up to date and relevant security policies you can ensure your organizational governance matches the maturity of the business.

What Are Typical Scenarios For Governance And Maturity?

There are four scenarios related to governance and maturity:

A mature organization with too much governance – your organization is mature, but you are overly controlling with process and requirements. The net effect will be to slow down and impede the business unnecessarily. You are effectively lowering the organizational maturity due to too much governance.

An immature organization with too little governance – this is a recipe for disaster. If your organization is immature and you fail to govern the organization you will open the business up to unnecessary risk. You will get out maneuvered by your competitors, you will miss opportunities, you will fail to comply with laws and regulations and generally will have a lot of activity without any result. Your employees will lack coordination and as a result your business will suffer.

A mature organization with too little governance – This isn’t a bad scenario to be in. A mature organization implies they are doing the right things and don’t need a lot of guidance. A laissez faire attitude may be the right thing to allow employees flexibility and freedom, but it does come with inherent risk of not being compliant with laws and regulations. It may also mean there is duplication of effort or multiple ways of doing things, which could be optimized.

Governance and maturity are balanced – obviously this is the ideal scenario where your organizational governance is balanced to the level of maturity of the organization. Easy to think about in practice, difficult to achieve in reality.

Wrapping Up

Organizational governance and maturity are inversely related and need to be balanced in order for the business to operate effectively. There are ways to measure organizational maturity and governance effectiveness and by having a continual feedback loop you can optimally align both for success.