Howdy, y’all, and welcome to The Cyber Ranch Podcast! Our guest today is Tim Brown. If you don’t’ know who Tim Brown is, he is the CISO at SolarWinds, and as such, is one of us.
Or maybe in a way, he is all of us, really. Tim advises and has held various other roles in the past, including product roles, which our listeners know are well-respected skills down at the 'Ranch.
The topic today is cyber regulation. It can range from self-regulation to associations, principles, practices, lobbying – all the way up to full government regulation. What works? What’s required?
Topics covered:
- What is the case for regulation?
- What are the basics rules to provide us coverage and clarity?
- Not knowing the rules makes people nervous and afraid...
- Document your own processes, procedures, JDs, what you do, what you don't do. Make it clear!
- Rigorous banking industry regulations exist already. How onerous are they? How badly would they fit the rest of us?
- Perhaps a GAAP (generally accepted accounting principles) equivalent is desired?
- Process/procedure vs. 'Thou shalt never have a vulnerability!'
- Heavy-handed governmental oversight - defining standard of care and turning that into something people can stand behind?
- Remember that Sarbanes and Oxley were people. Real people.
- Is regulation required to create a more positive environment in the way SOX does?
- What does the public-private partnership need so that the rules created are good and realistic and improve cybersecurity for the world?
- REGULATION IS COMING! THE CISO COMMUNITY MUST BE A PART OF THAT REGULATION!
- Have we had a cyber Enron, and do we need one? That was the real catastrophe that launched SOX...
- Regarding GAAP, accounting is deterministic vs. dynamic - Can a cyber GAPP ever exist given how dynamic we are?
- The compliance world: principles based vs. rules based regulation - a more practical model. It may not move the bar enough, but it's a good starting point.
- Should a whole field of security auditors existing like accounting auditors do?
- We are youngsters in this craft still...
- Is the accounting world really the best metaphor? Auditors, forensic accountants, etc.?
- Another model is the medical world - malpractice, specific rules and regulations on specific surgical practices?
- What about a national CISO board or association like the NACD or the American Psychological Association?
- What about boards like medical review boards that approve specialties?
- Lobbying
- How to fund this?
- Who should be doing the doing? Inclusivity vs. sound gatekeeping.
- A barber has to be licensed to cut hair - should we get licensed?
- This conversation was around with software engineers long before it was with cyber folks. We learned that self-policing did not really work...
- The challenge is one of not shackling the business, or at least not appearing to, and the subsequent pushback.
The call to action is ultimately this: If you don't have a seat at the table, folks will do things to you rather than with you. So get involved!
Y'all be good now!