The Post-SolarWinds Cyberattack Reckoning Is Coming

Executive leadership teams beware!  If you thought your lack of cybersecurity leadership knowledge was never going to impact you, you are mistaken.

The post-SolarWinds cybersecurity disaster and impact on both publicly traded companies and federal government agencies will change the way the investor community, cybersecurity regulators, and the public will be viewing this lack of cybersecurity knowledge by senior leaders, corporate executives, and corporate directors.

The Sarbanes-Oxley (SOX) Act was passed in 2002 as a result of multiple financial scandals involving large publicly traded organizations such as Enron and WorldCom which negatively impacted investors. The SOX Act created the Public Company Accounting Oversight Board, strengthened the independence and financial literacy of corporate boards, required annual disclosure and assessment of its internal controls, held CEOs personally responsible for errors in financial accounting audits, and provided criminal penalties for any company official or accountant engaged in fraudulent activities in violation of this Act.

The SOX Act also required public companies to disclose whether at least one audit committee financial expert (ACFE) serves on its audit committee or to disclose the reason for not having such an expert. Under SEC rules, an ACFE is defined as an individual possessing all of the following attributes:

1. An understanding of generally accepted accounting principles and financial statements;
2. Experience applying such generally accepted accounting principles in connection with the accounting for estimates, accruals, and reserves that are generally comparable to the estimates, accruals and reserves, if any, used in the registrant's financial statements;
3. Experience preparing or auditing financial statements that present accounting issues that are generally comparable to those raised by the registrant's financial statements;
4. Experience with internal controls and procedures for financial reporting; and
5. An understanding of audit committee functions.

This act created significant compliance requirements for publicly traded organizations, accounting firms, and their respective senior leadership and corporate directors.

Based on the initial and devastating impact of this latest Russian cyberattack, it can be anticipated necessary changes in how cybersecurity is addressed by executives as an enterprise risk for both the private and public sector is warranted.

After forensic and congressional investigations are conducted, findings will identify gaps, deficiencies, and the lack of action on the part of the victim organization’s leadership in securing their organizations from sophisticated cyberattacks.  Among the findings which can be anticipated will be the following:

1. The lack of cybersecurity experts on boards and senior leadership teams (excluding the CIO/CISO);
2. The lack of cybersecurity training for the appropriate number of highly skilled cybersecurity professionals to identify, protect, detect, respond, and recover from these types of sophisticated cyberattacks; and
3. The lack of cybersecurity leadership training for senior leaders, corporate executives, and corporate directors in better understanding and appropriately addressing cybersecurity as an enterprise risk for the organization.

What requirements will be made of organizational leadership to better understand cybersecurity and be able to “trust but verify” what is being reported to them by their CIO/CISO regarding their organization’s cybersecurity risk management program and cybersecurity posture?  One point is clear, having a foundational understanding of the various facets of cybersecurity will be required as a minimum requirement.  This foundational understanding does not require a computer science or information systems degree but does require a foundational understanding in areas such as:

• Integrating the Cyber Threat In Strategic Planning
• Understanding the Cyber Threat Landscape And The Basics Of Information Technology
• Understanding Malicious Software
• Information Operations (Nation State/Advanced Persistent Threat)
• Critical Infrastructure and Industrial Control Systems
• Wireless and Mobile Devices
• Web Infrastructure and Third-Party Risk
• Cybercrime and Hacktivism
• The Cyber Underground
• Cyber Defense, Incident Response and Recovery
• Cyber Education and Cyber Training
• Cyber Regulators and Cybersecurity Frameworks
• Private Sector and Public Sector Partnerships

If Cybersecurity Leadership Training Were Required in Today’s Annual Disclosure to Investors and Regulators

If your organization had to disclose to cybersecurity regulators and the investing community what cybersecurity leadership training its executives, corporate directors, and leadership teams had obtained during the previous twelve months, what would this disclosure state?

If your organization has nothing or very little to report on any cybersecurity leadership training your executives, corporate directors, and leadership teams have taken in this hypothetical annual disclosure, it is time for your Training Coordinator to purchase and schedule your organization’s cybersecurity leadership training.

Consider the online Hacking the Cyber Threat Cybersecurity Leadership Program created by a 27 year retired FBI Special Agent who is a CPA, CISSP, holds multiple advanced cybersecurity certifications, and has experience in the following cybersecurity leadership positions:

• FBI Cyber Division Executive leading FBI cyber intrusion investigations,
• Deputy Director of the National Cyber Investigative Task Force
• FBI National Academy Cybersecurity Leadership Instructor, and
• Cybersecurity Managing Director with a Big 4 accounting firm.

With its two week recommended schedule, your executive team could complete this foundational cybersecurity leadership over this holiday season.

By taking this foundational cybersecurity leadership training, your organization can develop a cadre of cyber savvy leaders to assist your organization in providing the strategic resources to create the most mature cybersecurity risk management program and cyber posture for your organization.