Brakeing Down Security Podcast   /     NIcole Sundin - CPO at Axio - SEC compliance, usable security, setting up risk mgmt programs

Description

Disclaimer: The views, information, or opinions expressed on this program are solely the views of the individuals involved and by no means represent absolute facts. Opinions expressed by the host and guests can change at any time, and do not represent views of past, present, or future employers.   Guest Bio:  Nicole is the Chief Product Officer at Axio. Nicole has spent her career building awareness around the benefits of usable security and human-centered security as a way to increase company revenue and create a seamless user experience.   Youtube VOD Link: https://youtube.com/live/tFaAB9an47g   Questions and topics: Usable security: is it an oxymoron? What determines if the security is ‘usable’ or no? We sacrifice security for a better UX, what can be done to alleviate that? Or is it some sort of sliding scale in “poor UX, amazing security or awesome UX, poor security” Examples of poor UX for ‘people’: MFA, and password managers. SEC updates and ‘material events’ and how that would affect security, IR, and other company reporting functions. Also, additional documentation (Regulation S-K Item 106) https://www.linkedin.com/posts/nicole-sundin-5225a1149_sec-adopts-rules-on-cybersecurity-risk-management-activity-7090065804083290112-ISD8 Are companies ready to talk about their cybersecurity? Can the SEC say “you’re not doing enough?” What is ‘enough’? Are we heading toward yet another audit needed for public companies, similar to SOX? When does an 8-K get publicly disclosed? Materiality is based on a “reasonable investor”? So, you don’t need to announce that until you’re certain, and it’s based on what you can collect? Cyber Risk Management and some good examples of how to set up a proper  cyber risk organization   Additional Links: https://csrc.nist.gov/CSRC/media/Projects/usable-cybersecurity/images-media/Is%20Usable%20Security%20an%20Oxymoron.pdf  http://web.mit.edu/Saltzer/www/publications/protection/Basic.html  https://www.sec.gov/news/press-release/2023-139  https://www.sec.gov/news/statement/munter-statement-assessing-materiality-030922  https://www.pwc.com/us/en/services/consulting/cybersecurity-risk-regulatory/sec-final-cybersecurity-disclosure-rules.html  https://www.nasa.gov/centers/ames/research/technology-onepagers/hc-computing.html  https://securityscorecard.com/blog/what-is-cyber-security-performance-management/  

Subtitle
Disclaimer: The views, information, or opinions expressed on this program are solely the views of the individuals involved and by no means represent absolute facts. Opinions expressed by the host and guests can change at any time, and do not represent...
Duration
01:06:08
Publishing date
2023-09-23 03:59
Link
http://brakeingsecurity.com/nicole-sundin-cpo-at-axio-sec-compliance-usable-security-setting-up-risk-mgmt-programs
Contributors
  NIcole Sundin and Bryan Brake
author  
Enclosures
https://traffic.libsyn.com/secure/brakeingsecurity/Nicole_sundin-final.mp3?dest-id=177487
audio/mpeg

Shownotes

Disclaimer: The views, information, or opinions expressed on this program are solely the views of the individuals involved and by no means represent absolute facts. Opinions expressed by the host and guests can change at any time, and do not represent views of past, present, or future employers.

 

Guest Bio: 

Nicole is the Chief Product Officer at Axio. Nicole has spent her career building awareness around the benefits of usable security and human-centered security as a way to increase company revenue and create a seamless user experience.

 

Youtube VOD Link: https://youtube.com/live/tFaAB9an47g

 

Questions and topics:

  1. Usable security: is it an oxymoron? What determines if the security is ‘usable’ or no?

  2. We sacrifice security for a better UX, what can be done to alleviate that? Or is it some sort of sliding scale in “poor UX, amazing security or awesome UX, poor security”

  3. Examples of poor UX for ‘people’: MFA, and password managers.

  4. SEC updates and ‘material events’ and how that would affect security, IR, and other company reporting functions. Also, additional documentation (Regulation S-K Item 106) https://www.linkedin.com/posts/nicole-sundin-5225a1149_sec-adopts-rules-on-cybersecurity-risk-management-activity-7090065804083290112-ISD8

  5. Are companies ready to talk about their cybersecurity? Can the SEC say “you’re not doing enough?” What is ‘enough’? Are we heading toward yet another audit needed for public companies, similar to SOX? When does an 8-K get publicly disclosed?

  6. Materiality is based on a “reasonable investor”? So, you don’t need to announce that until you’re certain, and it’s based on what you can collect?

  7. Cyber Risk Management and some good examples of how to set up a proper  cyber risk organization

 

Additional Links: https://csrc.nist.gov/CSRC/media/Projects/usable-cybersecurity/images-media/Is%20Usable%20Security%20an%20Oxymoron.pdf 

http://web.mit.edu/Saltzer/www/publications/protection/Basic.html 

https://www.sec.gov/news/press-release/2023-139 

https://www.sec.gov/news/statement/munter-statement-assessing-materiality-030922 

https://www.pwc.com/us/en/services/consulting/cybersecurity-risk-regulatory/sec-final-cybersecurity-disclosure-rules.html 

https://www.nasa.gov/centers/ames/research/technology-onepagers/hc-computing.html 

https://securityscorecard.com/blog/what-is-cyber-security-performance-management/