May. 20, 2022
Thank you for the opportunity for the SANS Institute to comment on the Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure proposed rule by the U.S. Securities and Exchange Commission. The SANS Institute supports any means to enhance and standardize cyber disclosure while being an advocate to improve these mandates as an objective, non-biased cybersecurity institution. While disclosure in cybersecurity does have potential pitfalls, the SANS Institute strongly believes that the benefits outweigh the concerns. Increased cybersecurity presence and visibility for business will only grow over time for investors, and the public, as it impacts every part of daily business operations. This need is currently being addressed by organizations that are using best practice frameworks in their cyber ecosystem such as the CIS Controls (https://www.cisecurity.org), the NIST Cybersecurity Framework (https://www.nist.gov/cyberframework) and MITRE ATT&CK Framework (https://attack.mitre.org). The SANS Institute believes that cyber expertise is needed on the board of public corporations. The expertise should focus on cyber implications with directors who understand these issues. The SANS Institute believes this is possible through proper training and certifications that validate directors’ skills, similar to other industries, such as an accountant that has achieved their Certified Public Accountant designation. This will give confidence to the investors and assurance that the board can make smart decisions concerning cyber risk and investments. A great reference of work roles within cybersecurity can be found within the NICE Framework (https://www.nist.gov/itl/applied-cybersecurity/nice) which lists out the tasks, skills and knowledge of potential titles of directors such as Information Systems Security Manager, Security Architect, or Cyber Defense Analyst. Thank you once again for the opportunity to comment on these proposed rules and the SANS Institute looks forward to seeing how it will help improve the protection of investors and the public. Brian Correia Director of Business Development, GIAC