At a glance.
- How do we define “cyber worker”?
- The SEC’s rationale behind its new cyberincident disclosure rule.
How do we define “cyber worker”?
In a recent interview, the US deputy national cyber director for technology and ecosystem security, Camille Stewart Gloster, told Nextgov.com that the Office of the National Cyber Director is working to address gaps in the cybersecurity workforce. In particular, Gloster is focused on collecting data about the cyber workforce, and finding the best way to analyze that data so it informs the training and recruiting processes. “The hard challenge that I'm excited to start to tackle is the data piece,” she stated. “I don't think there are any easy answers, but we're not going to shy away from trying to answer that question…what's the right apparatus to intake the data and then how do we use it?”
The first hurdle will likely be agreeing on a definition of exactly what a cyber worker is, a definition that changes as the cybersecurity landscape constantly expands to keep up with advances in technology. Gloster explains, “And so as the digital ecosystem evolves, and we recognize just how multidisciplinary the space is, … how do you create a system for getting the numbers where the environment is that dynamic? That's the challenge we have ahead of us. And what makes this so hard.”
The SEC’s rationale behind its new cyberincident disclosure rule.
As we’ve seen, the US Securities and Exchange Commission (SEC) recently voted to adopt a new rule, proposed last year, requiring publicly traded companies to standardize their cybersecurity management and disclosure rules. In a statement from the SEC, Commissioner Jaime Lizárraga explains why the new rule was necessary. Lizárraga states, “I am pleased to support this rule because it will strengthen the quality, consistency, and timeliness of cybersecurity-related disclosures to investors.”
He acknowledges that while corporate executives have made cybersecurity a priority, as of yet there have been no clear, specific disclosure requirements, which has allowed organizations to pick and choose when and how to disclose incidents. “By clarifying what companies must disclose, the rule will provide investors with more certainty and easier comparability,” he explains. “This will reduce the risk of adverse selection, and the potential mispricing of a company.” He goes on to say that more timely incident reporting will help companies stay abreast of the cyber threats that could impact their sector, and consumers will be better informed when it comes to deciding which organizations they can trust with their personal data.