What can the cybersecurity world learn from the more established financial security world on how to approach regulation?

Having been in finance a long time, countless people are constantly looking on how to actually steal money, move money. Even in internal operations, expense fraud. The salesperson wanting to have a higher ASP so that they get an accelerator. Everybody's always trying to game the financial system internally. But if you look at something like financial integrity, there's real pain to the shareholders and executives if they don't demonstrate a level of financial integrity in their reporting.  From a data perspective there's no proof that there's any real shareholder impact because of a data breach other than temporary monetary loss caused by emotional selloff. And that's generally more exacerbated when it's an availability issue because it impacts revenue, right?  There's a bunch of great NIST stuff and things out there. But people don't necessarily implement it and then use it to deliver an outcome, right? Which is why I go, "How do we get an outcome that I'm accountable for as a CISO and chief security officer, and the other executives and the board are equally accountable for?” Not that you can eliminate risks. Just like you couldn't eliminate the potential for a financial integrity issue because of one bad apple or a couple of coordinated actors. But by and large, we haven't had any substantive financial integrity accounting issues in almost two decades now. And I go, there's something to be said about that. I hated Intel's Sarbanes-Oxley effort for all of the systems and application infrastructure. It was a royal pain. But you define your own key controls to manage material risk issues, right? Even though at the time, I was like, "It's not going to move the needle." In retrospect as I've thought about this, I'm like, "Maybe it did."

Anonymous Author
Having been in finance a long time, countless people are constantly looking on how to actually steal money, move money. Even in internal operations, expense fraud. The salesperson wanting to have a higher ASP so that they get an accelerator. Everybody's always trying to game the financial system internally. But if you look at something like financial integrity, there's real pain to the shareholders and executives if they don't demonstrate a level of financial integrity in their reporting.  From a data perspective there's no proof that there's any real shareholder impact because of a data breach other than temporary monetary loss caused by emotional selloff. And that's generally more exacerbated when it's an availability issue because it impacts revenue, right?  There's a bunch of great NIST stuff and things out there. But people don't necessarily implement it and then use it to deliver an outcome, right? Which is why I go, "How do we get an outcome that I'm accountable for as a CISO and chief security officer, and the other executives and the board are equally accountable for?” Not that you can eliminate risks. Just like you couldn't eliminate the potential for a financial integrity issue because of one bad apple or a couple of coordinated actors. But by and large, we haven't had any substantive financial integrity accounting issues in almost two decades now. And I go, there's something to be said about that. I hated Intel's Sarbanes-Oxley effort for all of the systems and application infrastructure. It was a royal pain. But you define your own key controls to manage material risk issues, right? Even though at the time, I was like, "It's not going to move the needle." In retrospect as I've thought about this, I'm like, "Maybe it did."
1 upvotes
Anonymous Author
I can think of scenarios I've seen. You want to open a line of credit with the bank, pretty straightforward thing. And you're a startup company. And they ask you as part of the due diligence questions like, "Hey, do you have any employees or contractors based in the following places?" And if Ukraine pops up on the list, they'd be like, "Whoa, total showstopper. Where in Ukraine? Are they in Crimea?" And then you have to explain, "No, no, no, they are not in Crimea, they're in Kiev and this is all good." And something like that in the financial sort of money world in terms of banking can be a total showstopper. There should be similar requirements across the board for good information/cyber security controls and practices. There is a lot we can learn from FINSERV and other highly regulated industries about how to model cybersecurity standards.
1 upvotes