https://community.isc2.org/t5/Industry-News/Cybersecurity-Expertise-on-the-Board/m-p/50619#M5765 <P>A few news articles came out yesterday around the SEC's proposed rule changes, specifically section II. Proposed Amendments (E), on whether public companies will need to disclose if they have someone on their Board with cybersecurity expertise.</P><P>&nbsp;</P><P><A href="https://www.sec.gov/rules/proposed/2022/33-11038.pdf" target="_blank" rel="noopener">Proposed rule: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure</A></P><P><A href="https://www.forbes.com/sites/bobzukis/2022/04/18/the-sec-is-about-to-force-cisos-into-americas-boardrooms/?sh=10261a2368a9" target="_blank" rel="noopener">The SEC Is About To Force CISOs Into America’s Boardrooms (forbes.com)</A> &nbsp;</P><P>&nbsp;</P><P>For those that don't read the above links, 'cybersecurity expertise' is loosely defined as:</P><P>&nbsp;</P><UL><LI><STRONG>Whether</STRONG> the director has prior work experience in cybersecurity, including, for<BR />example, prior experience as an information security officer, security policy analyst,<BR />security auditor, security architect or engineer, security operations or incident<BR />response manager, or business continuity planner;</LI><LI><STRONG>Whether</STRONG> the director has obtained a certification or degree in cybersecurity; and</LI><LI><STRONG>Whether</STRONG> the director has knowledge, skills, or other background in cybersecurity,<BR />including, for example, in the areas of security policy and governance, risk<BR />management, security assessment, control evaluation, security architecture and<BR />engineering, security operations, incident handling, or business continuity planning.</LI></UL><P>There were also a few RFC's that I thought were interesting and might drive some further discussion here in the Community.</P><P>&nbsp;</P><OL><LI><STRONG>Would</STRONG> proposed Item 407(j) disclosure provide information that investors would find useful? (Or if it would affect any decisions around using their services or products in your environment?)</LI><LI><STRONG>Would</STRONG><SPAN> the Item 407(j) disclosure requirements have the unintended effect of undermining a&nbsp;</SPAN>company's cybersecurity defense efforts or otherwise impose undue burdens on companies?</LI><LI><STRONG>Should</STRONG> any public companies be excluded? (Shortened for brevity)</LI><LI>And as always, any further thoughts from the Community on this issue.&nbsp;</LI></OL> Tue, 19 Apr 2022 14:28:40 GMT tmekelburg1 2022-04-19T14:28:40Z https://community.isc2.org/t5/Industry-News/Cybersecurity-Expertise-on-the-Board/m-p/50619#M5765 <P>A few news articles came out yesterday around the SEC's proposed rule changes, specifically section II. Proposed Amendments (E), on whether public companies will need to disclose if they have someone on their Board with cybersecurity expertise.</P><P>&nbsp;</P><P><A href="https://www.sec.gov/rules/proposed/2022/33-11038.pdf" target="_blank" rel="noopener">Proposed rule: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure</A></P><P><A href="https://www.forbes.com/sites/bobzukis/2022/04/18/the-sec-is-about-to-force-cisos-into-americas-boardrooms/?sh=10261a2368a9" target="_blank" rel="noopener">The SEC Is About To Force CISOs Into America’s Boardrooms (forbes.com)</A> &nbsp;</P><P>&nbsp;</P><P>For those that don't read the above links, 'cybersecurity expertise' is loosely defined as:</P><P>&nbsp;</P><UL><LI><STRONG>Whether</STRONG> the director has prior work experience in cybersecurity, including, for<BR />example, prior experience as an information security officer, security policy analyst,<BR />security auditor, security architect or engineer, security operations or incident<BR />response manager, or business continuity planner;</LI><LI><STRONG>Whether</STRONG> the director has obtained a certification or degree in cybersecurity; and</LI><LI><STRONG>Whether</STRONG> the director has knowledge, skills, or other background in cybersecurity,<BR />including, for example, in the areas of security policy and governance, risk<BR />management, security assessment, control evaluation, security architecture and<BR />engineering, security operations, incident handling, or business continuity planning.</LI></UL><P>There were also a few RFC's that I thought were interesting and might drive some further discussion here in the Community.</P><P>&nbsp;</P><OL><LI><STRONG>Would</STRONG> proposed Item 407(j) disclosure provide information that investors would find useful? (Or if it would affect any decisions around using their services or products in your environment?)</LI><LI><STRONG>Would</STRONG><SPAN> the Item 407(j) disclosure requirements have the unintended effect of undermining a&nbsp;</SPAN>company's cybersecurity defense efforts or otherwise impose undue burdens on companies?</LI><LI><STRONG>Should</STRONG> any public companies be excluded? (Shortened for brevity)</LI><LI>And as always, any further thoughts from the Community on this issue.&nbsp;</LI></OL> Tue, 19 Apr 2022 14:28:40 GMT https://community.isc2.org/t5/Industry-News/Cybersecurity-Expertise-on-the-Board/m-p/50619#M5765 tmekelburg1 2022-04-19T14:28:40Z https://community.isc2.org/t5/Industry-News/Cybersecurity-Expertise-on-the-Board/m-p/50680#M5776 <P>If the board makes any budgetary recommendations then I think it would be prudent to have cyber security representation on there. You don't want cybersecurity to be underfunded because it's necessity was not understood.</P> Fri, 22 Apr 2022 18:17:05 GMT https://community.isc2.org/t5/Industry-News/Cybersecurity-Expertise-on-the-Board/m-p/50680#M5776 CISOScott 2022-04-22T18:17:05Z