By: Chris Ahern Senior Associate of SCV
A few weeks ago I joined Strategic Cyber Ventures, a D.C.-based venture capital firm that invests in early-stage, high-growth cybersecurity companies that fit our thesis of intrusion suppression. To that end, we focus on investing in companies that force adversaries to be resource-constrained, decrease dwell time, and prevent exfiltration of data rather than those that keep adversaries out by fortifying the perimeter. This concept consistently came up at Zero Day Con which I attended in New York City a few weeks ago. Zero Day Con brought together a number of the world’s thought leaders in cybersecurity for an afternoon of thoughtful discussion.
As I listened to the many talented speakers sharing their thoughts on today’s cybersecurity environment, it was shockingly similar to the discussions surrounding corporate governance and financial regulations following the Enron and WorldCom scandals of the early 2000s. As a reformed auditor turned cybersecurity venture investor, I thought this would be a unique insight worth sharing.
At the conference, we had Roland Cloutier (SVP and CSO for ADP) discussing a cyber professional’s need to understand the full value chain in order to protect his or her firm’s assets. Ronan Murphy (SmartTech CEO) shared his thoughts on the impending effects of the EU’s Global Data Protection Regulation (GDPR) including the establishment of an oversight body called the EU Data Protection Board (EDP). These will sound familiar to other (former) accountants/auditors. Needless to say, regulation was a consistent and recurring theme of the conference.
The recent Equifax breach raises much of the same panic, fear, and many of the same questions that arose following the Enron and WorldCom scandals. Who should and will be held accountable? How do we prevent this from happening again? Should we require a C-suite officer in charge of security? Should that individual report to a separate committee of the Board of Directors so as to not be influenced by other members of management? Which types of companies would these regulations apply to? Can these companies afford this and are we making them less competitive by burdening with added costs? Should we require security controls audits beyond those required for financial reporting?
These same questions were asked in the wake of Enron and WorldCom and ultimately resulted in the passage of the Sarbanes Oxley Act (SOX) in 2002.(1) Summarized below are a few of the key elements SOX established that are relevant to this discussion:
- Public Company Accounting Oversight Board (PCAOB) to independently oversee auditors of public companies
- Auditor independence, to reduce conflicts of interest
- CEO and CFO sign-off on the accuracy of financial statements with associated penalties
- Enhanced financial disclosures and internal controls reporting and compliance
- Specific criminal penalties associated with fraud and manipulation, destruction, or alteration of financial records
There are a few distinctions to make in this analogy. First, certain oversight measures were already in place before SOX came about. Enron had an audit committee and an external audit firm. This just goes to show how far off our security regulations really are. Second, in the financial reporting world, regulations are imposed to (among other things) prevent fraud. Fraud is the intent to deceive; whereas actions surrounding data and security breaches may only be described as negligent (though some would argue we’re starting to tow that line). Lastly, regulations governing financial reporting, audit accountability, and transparency are by no means perfect as we saw with the fallout of the Lehman Brother’s bankruptcy.(2)
It’s obvious we’re still in the very early innings when it comes to federal regulation and oversight of security practices. I fear that things are going to get worse before they get better. That an Enron or WorldCom-magnitude failure with widespread harm to financial markets as a whole may occur before these types of regulations really gain traction – but I hope I’m wrong. I believe the cybersecurity community can and should learn from other’s mistakes and take a few pages from the playbook used back in those days in the early 2000s.