[Music] You're listening to the Cyberwire Network, powered by N2K. [Music] The IT world used to be simpler. You only had to secure and manage environments that you controlled. Then came new technologies and new ways to work. Now, employees, apps, and networks are everywhere. This means poor visibility, security gaps, and added risk. That's why Cloudflare created the first-ever connectivity cloud. Visit cloudflare.com to protect your business everywhere you do business. [Music] This episode is brought to you by Shopify. Forget the frustration of picking commerce platforms when you switch your business to Shopify. The global commerce platform that supercharges you're selling, wherever you sell. With Shopify, you'll harness the same intuitive features, trusted apps, and powerful analytics used by the world's leading brands. Sign up today for your $1 per month trial period at Shopify.com/tech, all lowercase. That's Shopify.com/tech. The idea of cybersecurity materiality is tough to get your hands around. I'm part of a Carnegie Mellon University team, CMU, that contributes to a six-month-long Chief Information Security Officer certificate program. It targets existing CISOs who want to sharpen their skills and other security professionals looking to get into the CISO game. CMU brings in 18 cybersecurity luminaries, like Cybersecurity Ken and Hall of Fame authors Jack Jones, co-author of Measuring and Managing Information Risk. He's the inventor of the FAIR model. Randy Treziak, co-author of the CERT Guide to Insider Threats, and Doug Hubbard, co-author of How to Measure Anything in Cybersecurity Risk. Don't ask me how I got on the list. Clearly, CMU was misinformed about what the word "luminary" means. I was misinformed. For my piece twice a year, I facilitate a five-hour session that covers and updates the subjects in my book, Cybersecurity First Principles, a reboot of strategy and tactics. Each time we do it, there is a subset of students, consisting of senior government people looking to make the transition to the commercial world, or just trying to understand how we civilians think about the job of being a CISO. Last December, my class had a handful of senior U.S. Navy people, and they were intensely interested in how the Navy could improve their cybersecurity risk forecasting. But after listening to Jones, Hubbard, and me go on and on about what risk forecasting means, they specifically kept stumbling on how I defined it. Now, you all know that for the past four years, I've made the case that in order to solve cybersecurity, the starting point, the absolute atomic first principle is this. Reduce the probability of material impact due to a cyber event in the next three to five years. The thing that the Navy leadership kept stumbling over is the idea of materiality. Their understanding was that materiality was simply a financial term used by public companies in their quarterly earnings reports. And it had no meaning for companies that weren't public, and especially for government organizations, institutions that aren't in business at all. In the first principles book, I estimate that there are some 6 million companies, nonprofits, and government institutions in the United States. And according to Advisor Pedia, as of 2024, there are only 2,790 public companies. Navy leadership rightfully asked the question, if materiality only applies to less than 1% of the entire population, how can it be an integral part of any first principle? That's a great question. Let's find out. So, hold on to your butts. Hold on to your butts. This could get interesting. My name is Rick Howard, and I'm broadcasting from the N2K Cyberwires Secret Sanctum St. Torm Studios, located underwater somewhere along the Patapsco River near Baltimore Harbor, Maryland, in the Goodall, U.S. of A. And you're listening to CSO Perspectives, my podcast about the ideas, strategies, and technologies that senior security executives wrestle with on a daily basis. [music] According to the Harvard Law School Forum on Corporate Governance, Supreme Court Justice Thurgood Marshall crafted the landmark judicial definition of materiality in 1976. He wrote in the TSC Industries versus Northway case that a fact is material if there is a substantial likelihood that a reasonable shareholder would consider it important in deciding how to vote, or a substantial likelihood that the disclosure of the omitted fact would have been viewed by the reasonable investors having significantly altered the total mix of information made available. Whoo! That's a mouthful. So, restated for a public company in the United States, materiality is any event that significantly impacts share value. That seems straightforward enough until you view it through the lens of cyber security, except for some obvious significant public cyber attacks, like the 2017 Russian Not Petche campaign, where the total estimated damage worldwide was north of $10 billion. Public companies have never really addressed cyber security material risk in their earnings calls, at least not as a matter of course. Business leaders and InfoSec professionals don't really have the language yet to bridge the gap between typical business materiality issues like mergers and acquisitions and the InfoSec professionals' favorite tool to convey cyber security risk, the heat map. That started to change in 2023. The U.S. Securities and Exchange Commission, the SEC, approved a new role for all public companies. Leadership must report material cyber events within four business days. All of a sudden, cyber security materiality became a real thing that security practitioners in public companies needed to worry about. Every public company CISO worth their salt made a beeline to the CFO's office in order to come to some understanding about how they were going to define cyber security materiality going forward. But hold the phone. In another landmark decision this summer, 2024, the U.S. Supreme Court reversed its 1984 ruling in the case of Chevron versus the Natural Resources Defense Council, better known as the Chevron Doctrine, that allowed federal agencies like the SEC to enforce their own rules in lieu of specific laws passed by Congress. Chief Justice John Roberts called the Chevron Doctrine "fundamentally misguided." This shift away from the Chevron Doctrine introduces a period of uncertainty for the enforcement of the SEC's cyber security reporting rule. Companies and regulators alike will need to navigate this new legal landscape very carefully. The rule doesn't go away, but now public companies have a legal path for non-compliance. What a mess. Regardless of what you think about the SEC reporting rule, the Supreme Court's reversal on the Chevron Doctrine just tossed a giant bucket of chaos and uncertainty on the entire question of cyber security material reporting for public companies. As a side issue, the entire idea of government oversight by name institutions like the Food and Drug Administration and the Environmental Protection Agency, just the name, too, has been called into question. For now, implicit professionals in the U.S. will get no legal clarity any time soon on what is material and how it should be reported. Since what we did have before only applied to public companies anyway, this is probably not a big loss for the infoset profession. But in terms of cyber security first principles, though, is materiality still an essential concept. [MUSIC] If you take any three random people walking down the hallway at your headquarters building and lock them in a room with a whiteboard for an hour, they could probably come up with hundreds of potential risks to the business or some government mission. [MUSIC] And that's our show. Well, part of it. There's actually a whole lot more. And if I do say so myself, it's all pretty great. So here's the deal. We need your help so we can keep producing the insights that make you smarter and keep you a step ahead in this rapidly changing world of cyber security. If you want the full show, head on over to the cyberwire.com/pro and sign up for an account. That's the cyberwire all1word.com/pro. For less than a dollar a day, you can help us keep the lights and the mics on and the insights flowing. Plus, you get a whole bunch of other great stuff like ad-free podcasts, my favorite, exclusive content, newsletters and personal level up resources like practice tests. With N2K Pro, you get to help me and our team put food on the table for our families, and you also get to be smarter and more informed than any of your friends. I'd say that's a win-win. So head on over to the cyberwire.com/pro and sign up today for less than a dollar a day. Now, if that's more than you can muster, that's totally fine. Shoot an email to pro@N2K.com and we'll figure something out. I'd love to see you over here at N2K Pro. And one last thing, here at N2K we have a wonderful team of talented people doing insanely great things to make me and this show sound good. I think it's only appropriate, you know who they are. I'm Liz Stokes. I'm N2K's cyberwires associate producer. I'm Trey Hester, audio editor and sound engineer. I'm Elliot Peltzman, executive director of Sound and Vision. I'm Jennifer Ivan, executive producer. I'm Brandon Carf, executive editor. I'm Simone Petrella, the president of N2K. I'm Peter Kilpe, the CEO and publisher at N2K. And I'm Rick Howard. Thanks for your support, everybody. And thanks for listening. Thanks for listening. Thanks for listening. This September 18th and 19th in Denver, a tight community of leading experts is gathering to tackle the toughest cyber security challenges we face. It's happening at M-Wise, the unique conference built by practitioners for practitioners. Brought to you by Mandiant, now part of Google Cloud, M-Wise features one-to-one access with industry experts and fresh insights into the topics that matter most right now to frontline practitioners. Register early and save at M-Wise.io/Cyberwire. That's M-Wise.io/Cyberwire. (gentle music) (gentle music)
