Aug 12, 2024

CSO Perspectives is a weekly column and podcast where Rick Howard discusses the ideas, strategies and technologies that senior cybersecurity executives wrestle with on a daily basis.

What does materiality mean exactly?

Listen to the audio version of this story.

The idea of cybersecurity materiality is tough to get your hands around.

I'm part of a Carnegie Mellon University (CMU) team that contributes to a six-month long Chief Information Security Officer (CISO) Certificate program. It targets existing CISOs who want to sharpen their skills and other security professionals looking to get into the CISO game. CMU brings in 18 cybersecurity luminaries like Cybersecurity Canon Hall of Fame authors Jack Jones (co-author of “Measuring and Managing Information Risk”), Randy Trzeciak (co-author of “The CERT Guide to Insider Threats”), and Doug Hubbard ( co-author of “ How to Measure Anything in Cybersecurity Risk”). Don’t ask me how I got on the list. Clearly CMU was misinformed about what the word “luminary” means.

For my piece, twice a year, I facilitate a five hour session that covers and updates the subjects in my book, “Cybersecurity First Principles: A Reboot of Strategy and Tactics.” Each time we do it, there is a subset of students consisting of senior government people looking to make the transition to the commercial world or just trying to understand how we civilians think about the job of being a CISO. Last December, my class had a handful of senior US Navy people and they were intensely interested in how the Navy could improve their cybersecurity risk forecasting. But, after listening to Jones, Hubbard, and me go on and on about what risk forecasting means, they specifically kept stumbling on how I defined it.

You all know that for the past four years, I have made the case that in order to “solve” cybersecurity, the starting point, the absolute atomic first principle, is this:

Reduce the probability of material impact due to a cyber event in the next 3-5 years.

The thing that the Navy leadership kept stumbling over is the idea of “materiality.” Their understanding was that “materiality” was simply a financial term used by public companies in their quarterly earnings reports. It had no meaning for companies that weren’t public and especially for government organizations; institutions that aren’t in business at all.

In the First Principles book, I estimate that there are some 6 million companies, non-profits, and government institutions in the United States. According to Advisorpedia, as of 2024, there are only 2,790 public companies. Navy leadership rightfully asked the question, If “materiality” only applies to less than 1% of the entire population, how can it be an integral part of any first principle? That’s a great question. In this essay, I'm going to cover how infosec professionals working in non-public companies in general, and the US Navy specifically, can use the concept of “materiality” to forecast cyber risk.

The origin and current state of materiality in the business world.

According to the Harvard Law School Forum on Corporate Governance, Supreme Court Justice Thurgood Marshall crafted the landmark judicial definition of materiality in 1976. He wrote in the TSC Industries vs Northway case that a fact is “material” if there is “a substantial likelihood that a reasonable shareholder would consider it important in deciding how to vote,” or “a substantial likelihood that the disclosure of the omitted fact would have been viewed by the reasonable investor as having significantly altered the ‘total mix’ of information made available.”

Phew!. That’s a mouthful.

Restated, for a public company in the United States, “materiality” is any event that significantly impacts share value. That seems straightforward enough until you view it through the lens of cybersecurity. Except for some obvious significant public cyber attacks, like the 2017 Russian NotPetya campaign where the total estimated damage worldwide was north of $10 billion, public companies have never really addressed cybersecurity material risk in their earnings calls; at least, not as a matter of course. Business leaders and infosec professionals don’t have the language to bridge the gap between typical business materiality issues, like mergers and acquisitions, and the infosec professional’s favorite tool to convey cybersecurity risks, the heat map.

That started to change in 2023. The U.S. Securities and Exchange Commission (SEC) approved a new rule for all public companies: Leadership must report material cyber events within four business days. All of a sudden, cybersecurity materiality became a real thing that security practitioners in public companies needed to worry about. Every public company CISO worth their salt made a beeline to the CFO’s office in order to come to some understanding about how they were going to define cybersecurity materiality going forward.

But hold the phone. In a landmark decision this summer (2024), the US Supreme Court reversed its 1984 ruling in the case, Chevron v. the Natural Resources Defense Council, better known as the Chevron doctrine, that allowed federal agencies, like the SEC, to enforce their own rules in lieu of specific laws passed by Congress. Chief Justice John Roberts called the Chevron doctrine “fundamentally misguided.”

This shift away from the Chevron doctrine introduces a period of uncertainty for the enforcement of the SEC's cybersecurity reporting rule. Companies and regulators alike will need to navigate this new legal landscape carefully. The rule doesn’t go away but now, public companies have a legal path for noncompliance.

What a mess.

Regardless of what you think about the SEC reporting rule, the Supreme Court’s reversal on the Chevron Doctrine just tossed a giant bucket of chaos and uncertainty on the entire question of cybersecurity material reporting for public companies. As a side issue, the entire idea of government oversight by named institutions (like the Food and Drug Administration (FDA) and the Environmental Protection Agency (EPA) just to name two), has been called into question.

For now, infosec professionals will get no legal clarity in the US anytime soon on what is material and how it should be reported. Since what we did have before only applied to public companies anyway, this is probably no big loss for the infosec profession. In terms of cybersecurity First principles though, is materiality still an essential concept?

The Concept of Materiality is still Fundamental to Cybersecurity

If you take any three random people walking down the hallway at your headquarters building and lock them in a room with a white board for an hour, they could probably come up with hundreds of potential risks to the business or to some government mission. Some risks would be more likely than others and some would have more impact than others, but the list would be long. If you then brought the senior leaders of the organization into the room, they would most likely extend the list by some meaningful number. But let me be blunt here. A material issue is a potential organization or mission killer. If you’re trying to prioritize the team’s future work, dividing the potential risks into material risks and everything else is a useful exercise. It tends to focus the leadership.

When the REvil hacker gang launched a ransomware attack against Travelex on New Year’s Eve in 2020, the company quickly had to fall into administration ( it became insolvent and was unable to pay its debts). That’s a company killer. In 2014, the Deep Panda Chinese hacker group stole the personnel files of every US government employee (past and present) from the Office of Personnel Management (OPM); perhaps “the most impactful cyber espionage campaign known to the public against any country.” One of OPM’s primary missions was to protect the government’s personnel files. They completely failed. That’s a mission killer.

Since none of us has an infinite resource supply in terms of the people-process-technology triad, it makes sense to completely focus our first principle strategies to protect the material things in our environments and not get distracted by all the other things. And I hear what you’re saying. There are plenty of potential risks that fall short of the company/mission killer paradigm that would still be significantly painful; that would cause serious disruption to current planning and progress. You could make the case that some of these risks might be material too. Fair enough. But let’s start with the company/mission killers first and work back from there. Those are absolutely material.

How to discover your material issues.

How do you don a Hogwarts sorting hat and sift through all the potential risks written on that hypothetical white board into two buckets: potential material risks and everything else? If you work for a business, your cybersecurity company killer risks, your material risks, can usually be reduced to a dollar figure. How much money can the company afford to spend in terms of lost revenue, incident response, paid ransom (if you choose to do that), recovery costs, potential lawsuits, and potential compliance fines before the company becomes insolvent like Travelex? In this business case, it doesn’t matter if you’re a public or a private company or if the SEC’s reporting rule is valid or not. This is simply a math problem that the senior leadership team needs to get their hands around. Once that number is found, the CISO can then devise first principle strategies to reduce the probability of ever getting into that situation.

I'm not saying it’s easy to get all of those cats and dogs running in the same direction, but determining materiality in a business sense is easy compared to how government institutions can determine materiality risks for their key missions. It’s not a dollar figure although cost is a contributing factor. Materiality in a mission sense is much bigger than just costs. As an example, let’s look at how the U.S, Navy might think about cybersecurity materiality for their mission sets.

How could the Navy think about cybersecurity materiality.

I think there are at least four sets of materiality threat vectors that the Navy might consider (There are probably more). But all four have to do with the idea of significantly degrading or defeating on-going or future Naval operations because of a cyber attack.

1: Loss of Life. A cyber attack that directly or indirectly leads to significant loss of life for military, government civilian, or contracting personnel.

2: Cyber Espionage. A cyber spy campaign that steals personnel information (like the OPM breach of 2014) or strategic plans (like the invasion of Iraq in 2003) or tactical plans (like the assassination of the Iranian Major General Qasem Soleimani in 2020) or the theft of important R&D (like the plans for the stealth fighter back in the day).

3: Physical Infrastructure Destruction. A cyber attack that impacts physical infrastructure in support of a real world mission (Like Stuxnet did to Iran in 2010 ). In my mind, physical infrastructure targets include deployed and future weapons systems as well as power, water and other basic necessities.

4: Mission degradation. A cyber attack that targets supporting operational capability (Supply, medical, communications, etc) like the Russian cyber attack against the Ukrainian command and control satellite communication system in 2022 and direct attacks against mission forces (like the Russian cyber attacks against Secretary Clinton in the 2016 Presidential Campaign ).

To be clear, there exists literally thousands of threat vectors that might cause some damage to the Navy’s missions. But to follow our first principle mantra, we want to only focus on threat vectors that can cause material damage. These four are a good start.

For the U.S. Navy then, their absolute cybersecurity first principle is the same as all the other organizations in the world: reduce the probability of a material cyber event.

The difference between the Navy and say, Goldman Sachs, is how each defines materiality for themselves. For Goldman Sachs, materiality is associated with share value, potential lost revenue, and recovery costs. For the U.S. Navy, materiality is any significant impact caused by one or more of these four threat vectors.

Takeaway.

The subtle takeaway is that this is not just Navy specific either. These four materiality threat vectors could equally apply to the other US military services and the intelligence agencies (like the CIA, the NSA, and the FBI) without too much editing. For non-military government institutions (like the Environmental Protection Agency (EPA), the Securities and Exchange Commission (SEC), and the Federal Communications Commission (FCC)), these material threat vectors wouldn’t be exactly the same but they would likely fall along the same lines.

The point is that the idea of materiality applies to all organizations regardless of size and type: public companies, private companies, and government institutions. That’s what makes it a key component to our absolute cybersecurity first principle. It wouldn’t be a first principle component if it didn’t apply everywhere.

That doesn’t mean that materiality means the same for everybody. What cyber materiality means for Elon Musk and Tesla (Public Company) will not be the same for what it means to me at N2K (Private Company) which will not be the same for what it means to Carlos Del Toro (The Secretary of the Navy).

Knowing what Cybersecurity materiality means for your organization is the first step. It’s a difficult step and will change over time. But defining it for your organization is essential for a cybersecurity first principle infosec program.