Risk Topics

what the SEC thinks about information risk


As a "knowledge worker", it's important to understand how one's output is used. If you don't have that, you've got no way of knowing how effective you are.

One of the best articles I've found recently that explains the view on information risk from the board of directors is this record of a speech in June of 2014 by SEC Commissioner Luis A. Aguilar, in which he expresses his view that:

1. boards directly oversee cybersecurity through options including:

a. considering the NIST Cybersecurity Framework as guidance for their organization

b. "mandatory cyber-risk education for directors"

c. adding board members who represent good information risk understanding

d. the creation of an enterprise risk committee at the board level, tasked with information risk oversight in addition to more traditional operational risk

2. Firms recognize the unusual speed by which infosec incidents unfurl, the high attention that they garner, the follow-on legal/financial costs and brand impacts, and the potential systemic nature of the knock-on effects. He goes on to espouse:

a. the creation of incident response plans (with the usual make-up that the SIRA crowd will of course know)

b. the appointment of a CISO

c. ensuring that the board knows how to evaluate said preparations in light of what's been accomplished at other firms

I think this article stands out because it's from the top of the regulatory heap, is surprisingly on-note, is readable and concise, and is loaded with quality references. Also, I think it helps people who've been living in this world understand how awareness is genuinely growing among the corporate governance set. Again; for technocrats it's important to understand how one's work is consumed.

© 2013 - 2019 werneburg information risk management inc.