August 2023 Newsletter – Intercast and ChatGPT

Welcome to the August edition of Intercast’s monthly newsletter for cybersecurity professionals. As always, we’ll bring you the latest news and views to bring you up to speed. In this issue:

  • Client Insight: VCISOs – growing in popularity in the midmarket
  • SEC Delays Cybersecurity Regulations
  • US Launches Cybersecurity Label
  • European Cybersecurity Regulations Take A Step Forward
  • Questions For West On Cyberattacks

Client Insight:

This month we’ve spoken to several partners on the topic of the virtual CISO. When we say virtual, we’re not talking about getting ChatGPT or an algorithm to handle your security. Instead, it’s where an expert takes on the role without coming in as a full-time, in-house employee. Instead, they work remotely, often on a part-time or even “as needed” schedule.

It’s not the right option for everyone, particularly firms uncomfortable with remote working, but it does have at least three great use cases:

  • businesses that don’t have a need for a full-time CISO;
  • businesses that have a CISO but need somebody for extra C-suite responsibilities; and
  • businesses that want to hire a top-level CISO even if the budget doesn’t stretch to bringing them in as a full-time staffer.

SEC Delays Cybersecurity Regulations

New SEC rules designed to boost cybersecurity have been delayed until at least October. However, it’s not a reason to delay compliance efforts.

The rules will mean three key changes for publicly traded companies. They’ll need to publicly disclose cybersecurity breaches within four days of discovering them. They’ll need to detail their organizational approach to cybersecurity, including whether they have a CISO. And they’ll need to list any cybersecurity expertise among board members, the idea being that the absence of such listings will speak volumes.

The commission has yet to confirm the reasons for the delay. Analysts suggest it’s a combination of general complexity in figuring out the detail and specific concerns from the FBI about going public quickly with breaches that are under police investigation.

US Launches Cybersecurity Label

Most of us are familiar with the Energy Star badge that shows when products or buildings meet environmental standards. The new US Cyber Trust Mark aims to do the same for cybersecurity in smart devices. The precise details of the cybersecurity standards are still under discussion. The basic principle is that products will bear a badge in one of five colors, corresponding to five sets of standards. These will cover groups of products with different security and privacy implications, for example whether or not they have a camera.

One likely point of debate in setting the standards is whether to include requirements such as regular software updates. In principle, that’s one of the most important factors in whether a smart product is secure. The problem is that unless a badge showing a company promises to update software means little unless that commitment is legally binding.

European Cybersecurity Regulations Take A Step Forward

While the US opts for the carrot approach with its cybersecurity badge, Europe is firmly opting for the stick. The relevant government ministers across the European Union’s member countries have backed mandatory cybersecurity regulations for connected devices.

Broadly the rules mean manufacturers become responsible for carrying out cybersecurity risk assessments and becoming more transparent about both hardware and software security. Ministers have tweaked the original proposals to add support to help small and micro businesses comply, and to figure out how to decide the expected product lifetime during which manufacturers should keep devices secure.

The proposals will now to go the European Parliament where elected lawmakers will need to negotiate and approve the rules before they can come into force.

Questions For West On Cyberattacks

We hear plenty about cyberattacks that appear to be backed by the governments of Russia, China and even North Korea. But why don’t we hear about similar backing from Western governments?

The BBC looked into the issue, prompted by an apparent attack on Russian-based security firm Kaspersky. It explores whether the US and its allies really do avoid carrying out cyberattacks or simply do a better job of hiding their origin.

One theory is that it’s a reporting quirk. Many attacks are uncovered by cybersecurity firms, for example through monitoring how their anti-malware tools protect customers. It’s possible that if a Western nation was behind an attack, the target would be in a country where said cybersecurity firm has few if any clients.

Another theory is that even if the cybersecurity companies did discover a Western-based attack, they’d be reluctant to point the finger at governments that are often among their biggest clients.

Best of the rest

Here’s our round-up of some of the other stories you need to know about: