Apr. 28, 2022
I am with the SANS Institute which is the largest cooperative research and education organization in cybersecurity. We appreciate that you are looking to add language to disclose if a director has knowledge, skills, or other background in cybersecurity along with a certification or degree. You may want to look in using the NICE Framework from the US government which is becoming the template of what is needed for the workforce in cybersecurity and defining work roles. Here is the site - https://www.nist.gov/itl/applied-cybersecurity/nice/nice-framework-resource-center As the largest organization that offers degrees and certifications in cybersecurity it would be great to have a conversation to see how we can help with your mission on this proposed rule. We are also glad to have you talk with our practitioners and top experts since you just want to be careful in the definition of expertise before making this disclosure a rule for public companies. For example, in critical infrastructure you see confusion on the definition of OT (Operational Technology) vs. IT where folks are considered experts when they have more an IT background. Even US DHS has stated: “Incident response deployed in IT business systems may result in ineffective and even disastrous results when applied to ICS cyber incidents.” Thanks ahead on your feedback on having such a conversation. Brian Correia Director of Business Development, GIAC