After only one year since being introduced, the U.S. SEC cybersecurity ruling has upended the way many organizations approach a security incident. Four-day incident reporting windows, increased legal liability for violations, and subjective definitions of materiality all now have a greater impact on CISOs and their teams. Meanwhile, disruptive attacks have become so common that nearly 90% of CISOs reported dealing with one in the past year, according to Splunk’s CISO Report. For security professionals, the pressure has never been higher; a security incident that makes headlines or gets into the public eye now puts the organization’s reputation and financial standing on the line while the world watches.
And it’s not just the SEC ruling either. Splunk’s 2024 State of Security report articulates how new global regulations — including Europe’s NIS2 and Digital Operational Resilience Act (DORA), now introduce tighter requirements and severe penalties for violations, indicating a trend of legislation that more aggressively protects shareholders from the fallout of cyber attacks and incidents.
During Splunk’s .conf+ executive event, I led a panel of Splunk leaders and customers who shared stories and drew on their collective wisdom and experience regarding what CISOs should—and shouldn’t—do when navigating today’s rigorous regulatory environment.
Here are four of the biggest takeaways we discussed if — or when — an incident goes public.
1. “Materiality” is an organization-wide issue
Make no mistake, CISOs will often be shouldered with the responsibility to define and communicate materiality to their board and leadership in a way that they can understand. But to say it’s solely a CISO or security issue paves the way for inevitable violations, misinterpretation and future mishaps.
Defining materiality is no small task. During our .conf+ panel, speakers overwhelmingly agreed that what constitutes a material incident in the SEC cyber ruling is undeniably vague. According to the SEC, a material incident is any event that a reasonable shareholder would consider important when making an investment decision. Among other things, the incident would likely have to impact a company’s operations, revenue and profits, reputation, or compliance posture.
Even still, the definition leaves a lot of room for interpretation. So it’s critical to have those conversations with stakeholders, such as the board and C-suite (CEO, CIO, CFO), early and often. Discuss the rubrics of a material incident with your board and C-suite and come to a consensus on the definition of “materiality.” Then convey that definition to HR, legal, compliance, risk management and other important organizational leaders and teams so that everyone is on the same page. We would even recommend running a table top that goes through the process with the board.
And while CISOs might have to spearhead that conversation, it’s incumbent on everyone to participate.
2. Cultivate strong relationships with legal teams
It’s smart to bring the lawyers involved as early as possible — that means well before an incident even occurs. Maintaining relationships with both internal and external counsel is critical, as it builds trust and rapport. They know the implications of regulations and impact on the business, as well as the factors that will create the most risk and put the organization in jeopardy. They also know what course of action is and isn’t viable for your teams during an incident, especially in those critical early stages. Cultivate understanding and clear communication paths with the chief legal officer, so that when a risk threshold is crossed, they can quickly hop on a call and provide reliable guidance — and take a lot of the guesswork out of your next steps. One important recommendation is to regularly meet with your outside counsel to ensure you are ready for an incident.
By the same token, it’s imperative to work collaboratively with other teams throughout the organization, such as compliance, privacy and risk, HR, and public relations, who will be critical resources if an incident makes headlines. Security leaders should be meeting with these teams regularly, building bridges and understanding their day-to-day operations, so everyone can jump into the fray and work together at a moment’s notice. Security leaders should also establish a culture of transparency and communication, providing regular updates to stakeholders and regulators to minimize surprises in the event of an incident. You’re all on the same team, so acting like one unit is not only the best plan, it’s often the only plan.
3. Create — and execute on — a proactive incident response plan
As the old adage goes, “Failing to plan is planning to fail.” In today’s rigid and punitive regulatory environment, that holds especially true. Panelists made a strong case for organizations to update their incident response plan to accommodate the more severe aspects of the SEC ruling and be more proactive.
This includes implementing a disclosure committee made up of various teams and stakeholders to examine breaches, determine materiality, and recommend next steps.
A robust incident response plan will also outline to a “T” the processes, procedures, and action items all involved parties will take if a breach goes public. Panelists emphasized that it was critical for everyone to know their roles and responsibilities ahead of time — so from the C-suite to the independent contributors, everyone needs to know where they will be held accountable.
For example, before an incident occurs, CXOs should ramp up media training to handle tough interviews with confidence, answer difficult questions thoughtfully, and redirect leading questions to minimize liability. Also, as part of crisis management, teams will need to have a clear communication plan in place, which might include scheduled emails to organizational teams, legal counsel, and shareholders while prioritizing important messages. Also, be clear on what to detail and how quickly you are going to provide details externally. Transparency with customers is key.
It’s also essential to implement processes and controls that are scalable and can grow with the organization. That can mean automating routine administrative security functions so that security personnel can attend to critical investigations and ensure their security defenses are running optimally. A comprehensive incident response plan might call for a tiered level of support, depending on the severity of the breach, so that teams can pace themselves and not risk draining resources in the middle of a cyber event.
But a plan is only as good as its execution. Include regular incident response drills and simulations as part of your employee education and training, to ensure processes will be second nature. And you’ll be ready.
4. Prioritize your team’s mental health
This one can’t be overstated. It’s well documented that CISOs and security professionals experience an inordinate amount of anxiety, burnout, depression, PTSD, and other mental health issues. The 2024 Splunk State of Security report indicates that security professionals experience high levels of burnout and anxiety due to growing demands and talent shortages. Panelists also said that many security professionals turn to alcohol and/or narcotics to help cope with stress.
The safety, reputation, and even financial standing of their organization are placed squarely on the shoulders of security teams. And a major breach or incident is often akin to a traumatic event. Many work long days in silos, with very little interaction or means of communicating with colleagues, fostering loneliness and isolation. And often, reaching out to a peer for help is not modeled or encouraged. In addition to existing stressors, the SEC ruling imposes significantly narrower reporting windows coupled with the possibility of legal liability and even jail time.
The good news is that CISOs and security leaders will also have opportunities to effect real and meaningful change. Panelists agreed that CISOs should check in regularly with their team members both before and after an incident to make sure they’re supported. CISOs can and should advocate for more mental health resources from their organizations, including everything from therapy services and well-being activities to peer-to-peer support groups, mental health days, and flexible time off.
Stringent compliance regulations aren’t going away any time soon. And organizations are still navigating this new normal. No doubt, these laws introduce new stressors, deadlines, and legal challenges. But they also compel us to communicate, be more proactive, and take a unified stance when it comes to incident response. Thinking differently about incident response will not only help teams be more effective at security, but will ultimately pave the way for us to become more resilient together.
To learn more about how CISOs and their teams are approaching a new and evolving regulatory environment, download the Splunk CISO Report and the Splunk 2024 State of Security report.