A new SEC proposal spotlights the role of cybersecurity vendors in
C-suite education. 

As CISOs increase their presence in the boardroom, they are learning to translate highly technical cybersecurity issues into business impacts. That’s the only way they can hope to influence other executives, board members, and investors.   

To speak the language of their C-suite peers, CISOs first need to have a good grasp on current business issues, especially those in the financial arena. Of course, they avidly follow the prevailing financial news media. But then they need to connect the dots between finance and cybersecurity. 

And in this, CISOs are finding strong support from their cybersecurity vendors. 

The link between the C-Suite and cybersecurity vendors 

If that last fact surprises you, consider a recent development in the finance sector, which has observed an alarming increase in cybersecurity incidents with significant economic impacts. To help investors navigate these treacherous waters, the Securities and Exchange Commission (SEC) issued a proposal to update its rules for how companies should disclose their cybersecurity risks. Among other things, the new rules will require companies to provide a lot more detailed information on those risks.  

Companies will look to their CISOs for this detail. And CISOs, in turn, will rely on their SecOps teams, who manage all the cybersecurity software tools deployed throughout the enterprise and in the cloud. These tools monitor network traffic, decrypt and inspect packets for malware, identify vulnerabilities, help trace sources of attacks, and more. In addition to providing data, the tools support risk management processes, which the SEC also covers in its proposed new rules.  

Cybersecurity vendors have already recognized this growing need for information. They are investing heavily in updating and expanding their software and services for cybersecurity posture management and other analytics systems. They have also taken pains to develop reporting formats that facilitate compliance with the requirements of the Payment Card Industry Data Security Standard (PCI DSS) and the Financial Crimes Enforcement Network’s Suspicious Activity Report (FinCEN SAR), among others. 

Human expertise takes CISOs where technology cannot 

Advanced technologies—some of them AI-driven—are necessary to deal with a company’s overwhelming volume of cyber-risk data. But they are not sufficient to help CISOs anticipate the changing nature of boardroom discussions, the CISO’s expected contribution, and the impact the new information will have on decision-making processes within the enterprise. It is important for CISOs to have a firm grasp on these things, because the proposed SEC rules also include disclosure about management’s role in assessing and managing such risk, as well as the extent of expertise that management or any members of the board have in cybersecurity. 

You might say the logical source of such guidance would be specialist law firms and tax consultants. They certainly know their material. But their publications are most often geared towards other financial professionals, which makes them a heavy slog for the harried CISO. 

On the other hand, as key business partners of enterprise security teams, cybersecurity vendors are heavily invested in understanding the various external developments that directly affect CISOs. The vendors themselves employ CISOs, who are also seasoned financial industry experts, and as such can offer valuable insights. In the case of one such expert at a leading cybersecurity vendor, NAVAJO created the messaging in the form of educational blogs and articles about the SEC proposal, the gaps he found in it, and most importantly, the implications for corporate security. 

Communicating insights is a team effort 

Many subject matter experts (SMEs) like the one we worked with are highly sought after and, understandably, short on time. But time—to gather thoughts, articulate them clearly, and then rework and revise through ongoing feedback—is precisely what is required in order to communicate expert knowledge competently.  

That’s why our cybersecurity clients have come to rely on NAVAJO Company. With years of experience in the cybersecurity industry, bolstered by writers who also possess financial sector expertise, NAVAJO helps cybersecurity vendors communicate with CISOs about financial topics in a way that is clear without being too simplistic. 

It still requires effort from the SME. But it is a shared effort. Which means the expert insights the vendor wants to share are far more likely to reach publication in a timely and sanity-preserving manner.