Trouble viewing this email? View in web browser
24-06-masthead-e37@2x.jpg
 
 
Trends, surprises emerge from early research on cyber-related SEC disclosures
Rob Sloan, VP, Cybersecurity Advocacy, Zscaler
For the past few weeks, I’ve been heads down analyzing what we can learn about cybersecurity from proxy statements from S&P 500 companies. A few trends were expected, but the complete results were nevertheless surprising.

I broke down the findings into three broad areas:

  • Board committee oversight of cybersecurity – Unsurprisingly, the majority of boards–four out of five–designate cybersecurity oversight responsibility to their audit committee. Despite authorities like the National Association of Corporate Directors recommending that cyber risk oversight is a full board issue, my research identified only 8% of the 500 companies that agreed in practice.

  • Disclosure practices in proxy statements – Only 79% of companies judged it necessary to make any disclosures about their cyber programs to investors, and those that did often failed to disclose anything concrete. The analysis showed how few companies disclosed previous cyber incidents and showed only 8% stated they aligned with the National Institute of Standards and Technology’s Cybersecurity Framework.

  • Disclosing director cybersecurity expertise – Disclosures around director expertise in cybersecurity are problematic. While announcing directors’ cybersecurity credentials was initially suggested as a component of the new SEC disclosures, it was ultimately dropped and the result appears to be “gaming” of the system by boards. Over half of boards included cybersecurity on their board skills matrix, but too often the skill was bundled with another broader skill, such as information technology, which allowed more directors to check the box.

I would love to hear your thoughts on my complete research. You can learn more on LinkedIn or find a combined piece discussing it here.
 
From the Office of the CISO:
Adding a twist to the epic of vulnerability management
Sam Curry, VP & CISO in Residence, Zscaler
We are in our fourth decade since the Security Administrator Tool for Analyzing Networks (SATAN) hit the scene and we have to ask ourselves, “Why is it still so hard to effectively patch systems?”

To be fair, the landscape hasn’t exactly stayed the same: the adversaries, defensive tools, even the way we define vulnerabilities and how cybercriminals exploit them have shifted. Nevertheless, history does seem to rhyme an awful lot as we continue to struggle to collectively enhance our cyber defenses.

Let’s dive into why—and how we can keep this perennial problem from rhyming into its fifth decade.

Why we just can’t get patching right.
 
Editor's Picks & Events
Like Australia, New Zealand has witnessed troubling cybersecurity trends in recent years. According to the country’s National Cyber Security Centre, financially motivated cybercrime has outpaced state-backed activity for the first time, threatening the wellbeing of New Zealanders. Recent research found that 70 percent of companies with 100 or more employees were in some way disrupted by cybercrime in 2023.
How experts are countering rising cyber threats in ANZ
The biggest challenge facing the modern CISO isn’t a technical one. It is, in fact, demonstrating consistent alignment with business objectives and how the CISO’s day-to-day efforts support them. That’s according to veteran CISO turned Zscaler VP & CISO in Residence, Sam Curry.
How security leaders can alleviate boards’ cyber concerns
Cybersecurity teams face complex challenges when budgeting talent and solutions to meet their organizations’ expectations of cyber risk mitigation. Properly evaluating cyber risk  is a challenge leaders know all too well. How can you establish good relationships and foster meaningful conversations in this complex space?
Taking the guesswork out of quantifying cyber risk exposure
Innovation is difficult for companies large and small. That’s in part due to a number of unanswered questions that tend to obscure the process and its intended outcomes. What is innovation? Who "owns" it? Whatever form innovation takes, you can be certain the CIO/CTO team will be expected to facilitate and support it.
Apply the three horizons model to drive your growth
Cybercriminals are growing more sophisticated, breaches are becoming more common, and the number of records being lost is increasing. The good news is that the industry is maturing and zero trust architecture (ZTA) is redefining our technology environments. But it's essential to know what zero trust is and what it is not.
The basics of building a solid security foundation with zero trust
 
Podcast Center
Tune in and zone out to stories of digital business and cybersecurity excellence from across our CXO community.
The CIO Evolution | Ep. 35
Recorded at RSA Conference 2024, Nat Smith, Senior Director, Product Management at Zscaler goes past the headlines to expose the technical and business value of the announcement between Zscaler and Google Chrome Enterprise and recent Zscaler acquisitions.
Listen now

The CIO Evolution | Ep. 36
James Beeson, an advisor, board member, investor, and former Global CISO for The Cigna Group and GE Capital, joins the show to share his deep experience and insights on communicating cyber risk, collaborating with CIOs, and establishing oneself as a trusted professional. Learn why keeping the difference between what you say and what you do to a minimum is critical to integrity and effectiveness.
Listen now
 
 
ad-communityforum-04@2x.png
 
 
Contact
Contact the Customer Experience &
Transformation Team: [email protected]





LP-Asset-Aid-v1_twitter.pngView us on YouTube: youtube.com/@CXOrevolutionaries
Follow us on Twitter: @zscaler
Connect on LinkedIn: CXO REvolutionaries
logo-zscaler-white 139x30.png