 Welcome back everyone, theCUBE's live coverage, day two at MY's, Mandiant's Worldwide Cybersecurity Conference. I'm John Furrier, host of theCUBE. We've got a great panel here discussing the rule changes going on around risk management, cybersecurity, Marshall Heidelman's global CTO at Mandiant is here with me again. Edgar Capdeaville, CEO of Nizomi Networks, CUBE alumni and Amy Geiger, managing director at Accenture. Folks, thanks for coming on, appreciate your time. Good to see you again. Thanks for having us. So day two, we're kicking off a lot of discussion around obviously zero day prevention, you can't just prevent it's going to happen. Social engineering, we see all the things going on in the world. There's a lot of rule changes going on. There's a lot of compliance, discussions, risk management in particular. I mean, everyone's got to be scared. Look at the MGM thing that's happening, happened and still happening. It's just every day it's inevitable it's going on. A lot of new rule changes. Let's get into it, Amy. Let's talk about this new rule change that happened in July that's pretty material on the SEC on cyber risk management. Yeah, yeah, absolutely. So there's really two parts, right? So the first part really focuses on your 10K disclosures. How are you articulating your processes around governance around cyber risk, both how the board's governing it, as well as how management's governing cyber risk and how that is disclosed in your 10K. I think the piece that's causing a lot of stir, I would say is more the 8K piece, which is, okay, you've got a cyber incident now. You need to define materiality thresholds and if you determine that that incident is material, now you have four days to disclose in an 8K publicly that you've had a material cyber incident. This is putting a lot of pressure on the system that's already highly stressed. What's the impact to this? Because, I mean, it's nuanced, right? It's, what's the day mean? When does the day start? What's the clock? When does the clock start? Is there a dwell time involved? I can almost imagine the wiggle room that's needed for a company to get them more time because a lot of the time they're scared, they're worried about what's actually happening materially in the network or in the breach or any kind of incident. What's the, how does it all go? I mean, what's the, what's the guidance on when the clock starts and how do companies respond? Yeah, and I think this is where we see some of the tension and struggle, right? Because, I mean, it's very clear that the clock starts when you determine materiality, right? So I think the first task companies have right now is what's my framework for establishing materiality and it's a mix of dimensions and thresholds, qualitative, quantitative factors, legal implications, reputational implications, financial implications, those kinds of things. Once you determine that you've got a material incident, now all the operational impacts start, right? So not only am I trying to contain my incident, but now I've got to start making sure I'm getting the right data to be able to make those calls around materiality. So I think there's real operational impacts to incident responders when you think about compliance with the ruling. Marshall, you guys do a lot of work with the companies. What is that standard for you guys? Is it, are people like, I don't want to know, like, what's the standard for material? So, well, I'm not sure I can comment on exactly what is material because that is different for every single organization, right? I do think that with this SEC rule change, how companies look at materiality is probably going to change. As with any type of rule change like this, I think we have to take a step back and kind of wait and see and see how it gets approached. I was reading two different AKs that were filed recently from two different organizations. One didn't say very much. It just acknowledged the fact that there was an incident. It's being handled very, very light on details. The other one happened to publish almost four paragraphs of details. So they're very detail oriented and said a lot about the incident. That was because one company wanted to disclose more than the other one, or it's simply because within that four day time period, one company was able to get a better handle on what had happened than the first organization. And from my perspective, having been in this game for about 17 years, you never want to victim shame the victim, right? And so it's unfair to judge how an organization is doing about what they file on their AK, especially when we don't understand the standard for what should be disclosed and what is the fair disclosure at that point in time. Because what an organization doesn't want to do is disclose too much information, ultimately be wrong because they're early on in the investigation and have to walk some of that back in public filings. It's almost a no win scenario if they don't do it right. Edgar, this is interesting with the vulnerability, unique vulnerability opportunities for attackers with IoT and OT technology. Sometimes it's a Windows 7 server, or desktop machine running an OT device, and now you've got multi-threaded light bulbs with IP addresses. I mean, the IoT service area is unique. What's the challenge for the CISO with this rule? Because it's... I think it's going to be both a challenge and an opportunity, right? So I think you have, if it's going to be hard to establish materiality and respond within four days on the world of IoT, which has evolved consistently with hackers, imagine the world of OT, which is like lagging behind the CISOs don't necessarily have the budget centralized, the authority centralized. A lot of times the world of OT, which is many folks consider a subset of IoT, is under some other governance. Now, if something, an incident where to affect the world of OT or to impact the world of OT, try walking into a boardroom to say, hey, that TCPIP network over there was not my responsibility, right? I love to be in that room and eat some popcorn. The reality is the CISO is responsible for everything that is technology. And this is an opportunity for CISOs to look at the entire scope, look for centralization of technology, governments decision-making, accelerate the gap or enclosing the gap that exists between OT and IoT and bring that into the fold. Guys, this is a really touchy subject, okay? And so, because when do you disclose, what does it mean to the reputation? So the question I guess I want to ask is, how should companies organize their security teams in context to this new observational data point that gives them the materially impacted by the rules for the reasons you mentioned and now the regulation? So do they change how CISOs organize the teams? Is there any thoughts on team structure, first response on the incident? I mean, again, I can only imagine the complexity of managing through this. Yeah, so I think the structure conversation starts to come back to how you demonstrate good governance over cyber, right? From an incident perspective, I think now your incidents need to be organized, your response needs to be organized around how do you gather the data that's going to allow you make a decision whether it's material or not. And I think the other part of the conversation that we often overlook is, I need to be able to justify and document when I make a decision that it's not material as well, right? And so you can't pick and choose when you're going to assess that materiality, it needs to be in the flow of every single incident, right? So as it evolves, you can make those calls. So like I said, I think there's going to be a lot of material, like operational impacts. Based on your many years experience, has it changed the structure of teams and workflows? Yeah, so in general, I agree with exactly what Amy just said, but I will add that I think it's a personal decision to reach organization because of how organizations are structured, how they handle security incidents, the amount of visibility gets all the way up the chain, how much of a boardroom topic conversation actually is. All those things will really dictate how an organization should be structured. I would argue at the end of the day, the structure is not the most important. It's the governance that they have in place. It's how do they handle these incidents? Do they have an incident response plan? Do they have a crisis management plan? If so, how well does that get executed? You know, it's fantastic to have these plans in place for organizations that do, but they've never practiced them. They haven't done those tabletop exercises. And the plan tends to get thrown out the window when an incident starts because now they're running around trying to figure out what's going on. So really having that professional mature response, I think is what we see is what is absolutely necessary now going forward to make certain that when a breach becomes material, you can show that you've handled it, right? Like you're in the public and rest assured that you've got a good handle on it. You're acting according to everything you should. Your AK filing is fine and it's being handled in the most mature and professional way possible. Whereas it hasn't always been the case. Absolutely, and just on top of that, one more thing would be, why is the SEC doing this, right? The SEC is doing it to protect investors. And 10K and an AK is a communications between the board and management to the investor community. So the CISO is now being brought into this. CISO is now being brought into the boardroom, you know, the big table, and the CISOs need to elevate their game. They now need to be, you know, talk to a board. The board needs some security competence and they need to have a relationship that is going to be ongoing and it's going to be now forever. That's a great point. If you don't mind, I want to just follow up with that. Is like, what's the feedback from CISOs on the viability and the feasibility of the regulations? Is there any, what's their commentary? I mean, I'm sure they got an opinion. What's the general, you don't have to name names, but what's the general CISO opinion on this? I'll take the first crack. Listen, a lot of CISOs sometimes are in the CF organization very deep. Sometimes they're in the IT organization really deep. And like I said, cybersecurity has become such a common topic. It is in the topics of the President of the United States, CISA, everybody's talking about cybersecurity. So this really, really elevates the point. A lot of CISOs don't feel prepared. They don't feel they have had the right budget continuity. They don't have haven't had the right sponsorship. They don't have the right representation in management and they don't have the right competence level in the board to hear them. Oh, Amy, so I got to ask you, maybe everyone can weigh in on this one. Okay, so with the cloud, it's an API economy. So that means third parties are working with each other. What's the impact on third party companies involved? Because everyone's a team sport, right? Both ways, security and defense. Is there a third party involved? What's their role? Yeah, I think the interesting part about the ruling is it accounts for that as well, right? Because it said your material disclosure could include a material incident that's coming from one of your third parties, right? And so, you know, I think we've seen over the last few years, right? That threat surface continued to expand, right? The concern of CISO is extending well beyond the bounds of their organization. I think this is just going to take that one step further. Because that dialogue is going to have to be ongoing in the midst of an incident with your third party for you to be able to do that materiality determination. Third party's huge. I mean, Kevin on the keynote yesterday, I love what he does on the keynote, because he's like, I used to do forensic and jump into the logs. He's the CEO now, he doesn't do that anymore. But he talks about how he used to spend his time doing reports. So I got to feel like AI is an opportunity here, maybe even the governance side, to not get so legal. Because I can imagine the CISOs gearing up for how to support the regulation, the rulings. How is there any kind of opportunity to apply AI or automation or just too new of a thing? Any thoughts? I can take a stab and say from the governance perspective, I would say it's probably a bit too new. Governance still is very policy-driven, very human-driven. On the tech side, AI can absolutely help because it's going to reduce the toil for the soccer responders that'll help them respond that much faster. Because four days, that's either an eternity, a lifetime in attack, or it's not much time at all. It really depends on the attacker and what's going on. So the faster you can make your incident responders and your soccer analysts able to respond, the faster they can get a better handle of what's going on. The faster that if you actually have to disclose there's an incident, you have a better handle on what's actually going on. So I would argue, yes, AI absolutely will help from the technology and the response perspective. The governance perspective, I think we need to wait and see how that evolves. Co-pilot opportunity, AI will take care of it. I think it's funny, we're talking about AI and how to incorporate AI. And like I said, I come from the world of industrial companies. Industrial companies do not have the basic instrumentation to monitor their networks that don't have asset inventories. So for a lot of these folks, visibility and instrumenting their industrial control and IoT networks to be at par with their IT networks is job number one. AI will come. Yeah, get set up first, get that data. This picks up a good question. I mean, this is basically a trust question, right? And so on the IoT side, is this ruling more about investor trust or is there a longer term goal? Is it more of a beachhead to get going? Is there a lot of pressure? Does it have teeth? Does this ruling, I guess, is at the beginning? How important is this in terms of the CISO really in terms of their approach? And actually they got to ramp up, make some changes. They got compliance issues. So I think it's very important. I think it's about investor trust, right? I think it remains to be seen, the teeth and those kinds of things. We'll have to see post December. But I think what is going to do absolutely is change the conversation at the management and the board level with the CISO, right? Because now you have some of that regulatory pressure to elevate those dialogues. And I think that's good. That's good for CISOs. That's good for how we mitigate cyber risk across the industry, right? And I think that in and of itself, separate and apart from the regulation, will help us advance defense forward. Okay, so the folks watching, obviously this is new. There's regulations to comply to. There's best practices, opportunities to start doing. So I guess my next question is, what are the best practices for this? And then what are the penalties if they're not in compliance? So yeah, why don't I take the best practices, Naomi, I'll turn it back over to you for the penalties. You know, from the best practices perspective, really it's almost back to security 101 as Kevin was talking a bit about yesterday. The organization needs to make sure that they have a good instant response plan. They need to have that risk and crisis management plan. They need to have exercised the plans. They basically need to know what to do in this type of situation. Those plans need to evolve a little bit because as an instant responder, an instant materiality, that's not really my problem. That's not my call to make, right? But obviously we have to have legal and executives involved to be able to make that call. So there's a flow of information and concise information that has to happen to make sure that they can make those calls. That's probably a change in how organizations were planning their responses to incident. Just making sure that their plans are now updated to account for all those facts. Making sure that they've battled test of these plans. They're hard on their executives, know how to respond. They know what third parties are involved. They know who exactly they're going to call. Just making certain that as we would have wanted any organization to do beforehand, they know what to do in the case of an instant, just modified now to incorporate this particular ruling and aiming on penalties. Penalties, what's, flag on the play, what's the penalty? Yeah, I mean I think that their fines and penalties, right, to be determined by the SEC, right? If they come back and say, you know, we deemed this incident to be material and you didn't disclose it to your investors, right? So it starts to put cyber in the realm of some of these other financial reporting risks that companies have been managing for decades. Yeah, and this really kind of highlights the role of data and security, not as an IT department, but as a board level, tabletop conversation we've heard here. I mean, it really makes it as big as an earning report, a filing. I mean, you have to disclose. This is a big deal. Yeah. I would say the only thing I would add is that this is just the first step, right? The SEC jumped the gun to protect investors, the right thing to do, but it's only the first step. I think we're about eight months from having CISA do its move and it's going to be very similar and it's also going to continue to have some teeth. So the CISOs and management teams and specifically boards need to start preparing for the new world. What's your advice for the folks watching on this? What's the deal? CISOs need to elevate the game. They need to be a lot more familiar with interacting with as part of the management team and with the board towards investors, in this case with the SEC. I think the board needs to get some competency associated with cyber as they did with financials or any other topic that becomes top of mind for investors and other regulatory bodies and I think they've covered best practices quite well. And then get the edge stuff nailed down, the device is all connected, get that data to set up the AI potentially as an opportunity. I think getting the attention of the board and investors in the past on different topics has been fundamental in changing industries. Like for example, Serbanes Oxley did amazing things for eliminating fraud, not 100% but radically from the newspapers and I think we can do significant damage to the world of cyber and the evil doers with this movement that is coming. Amy, we'll give you the final word, essentially you guys do a lot of work with customers. What's your workflow motion with your customer base? What do they do? What's the steps that they take? Yeah, so look, we're having these conversations with our clients doing a lot of the things that we've talked about today. How do you get ready? I think the other topic that we've been discussing that we haven't touched on today is just how we think this ruling is going to change the C-suite accountabilities around cyber, right? Suddenly now the CFO has unique accountabilities around cyber risk, right? The general counsel, the CEO. And so I think cyber risk is going to become more of a day-to-day part of their job in good times and in bad times from an incident perspective. And so for us, it's how do we work with our clients to help not just our CISOs prepare but how do we help our C-suites prepare as well? Amy, Marshall, Edgar. Thanks for coming on theCUBE, appreciate it. Thanks for having us here. Thanks so much. Risk management, trust. It's going to be about trust and protection and responding to the adversaries. This is what's going to happen here. Mandy is covering all the action here at theCUBE. We'll be right back after this short break.