As a reaction to a number of major corporate and accounting scandals (namely Enron and WorldCom), twenty years ago the Sarbanes-Oxley Act (SOX) was enacted. The law is almost certainly present in the day-to-day professional lives of every public company CFO and CEO.

Arguably, SOX has improved transparency and investor confidence in US capital markets. By imposing strict new controls over financial reporting processes, mandating criminal penalties for senior executives who certify false financial statements, enacting new regulations ensuring auditor independence, and strengthening Board oversight and governance, Congress accomplished what it set it out do to: end the rash of accounting scandals that plagued financial markets in the early 2000s.

Fast forward 20 years as we are faced with a steady stream of cybersecurity events. This week, the SEC charged SolarWinds and Chief Information Security Officer with fraud and internal control failures.

CISO criminal liability is something the cybersecurity community has been watching closely over the past several years. The fresh SEC charges against SolarWinds and its CISO come on the heels of a judge sentencing the Uber CISO to three years’ probation for his role in the coverup of a 2016 data breach at Uber. Threatening executives with jailtime is a powerful motivator. As the implementation of SOX materially strengthened financial controls and reporting, expect technology executives to insist on stronger cyber risk programs and mechanisms to provably demonstrate cyber posture:

  • Increased use of quantitative frameworks to supplement opinion and professional judgement in cyber risk decision making
  • CISO participation in regulatory disclosure process
  • Larger cyber risk budget requests to close security control gaps
  • Pay increases for qualified CISOs to compensate for personal risk
  • Increased scrutiny on the contracted liability “teeth” for cybersecurity functions that are outsourced

The cybersecurity space is awash with tooling; it is difficult for even highly mature cyber risk programs to translate the effectiveness of their tooling in a way that is consumable by risk governance teams to know what cyber risk investments are appropriate and to react quickly in this highly dynamic space. Unlike financial controls which are relatively static over time, cyber controls faced with active adversaries must constantly evolve. Establishing an effective cyber risk governance structure and maintaining clear accountability within that structure is critical when making material statements about the current state of your security program.

Need a clear perspective on your cybersecurity?

GoSecure can guide you.

GoSecure Titan® Threat Modeler provides cyber risk executives a dynamic view of the effectiveness and appropriateness of their control tools and appropriateness of their controls in light of relevant threats.

Discover How

Explore GoSecure Penetration Testing Services, Advisory Services and GoSecure Titan® Threat Modeler for a comprehensive view of your cyber posture. GoSecure Titan® Threat Modeler, when combined with robust offensive testing from our penetration testing services and our advisory services will validate technical control efficacy to conduct GRC assessment programs that will evaluate the maturity of the security program, provides quantitatively rigorous and compelling evidence of effective control coverage against emerging threats, which supports strategic controls investments and cyber risk posture in general. Validate your security efficacy with GoSecure Titan® Threat Modeler combined with GoSecure Penetration Testing Services and Advisory Services.

Learn More

GoSecure Titan® Managed Extended Detection & Response (MXDR)​

GoSecure Titan® Managed Extended Detection & Response (MXDR)​ Foundation

GoSecure Titan® Vulnerability Management as a Service (VMaaS)

GoSecure Titan® Managed Security Information & Event Monitoring (SIEM)

GoSecure Titan® Managed Perimeter Defense​ (MPD)

GoSecure Titan® Inbox Detection and Response (IDR)

GoSecure Titan® Secure Email Gateway (SEG)

GoSecure Titan® Threat Modeler

GoSecure Titan® Identity

GoSecure Titan® Platform

GoSecure Professional Security Services

Incident Response Services

Security Maturity Assessment

Privacy Services

PCI DSS Services

Penetration Testing Services​

Security Operations


GoSecure MXDR for Microsoft

Comprehensive visibility and response within your Microsoft security environment


Cyber Risks

Risk-Based Security Measures

Sensitive Data Security

Safeguard sensitive information

Private Equity Firms

Make informed decisions

Cybersecurity Compliance

Fulfill regulatory obligations

Cyber Insurance

A valuable risk management strategy


Combat ransomware with innovative security

Zero-Day Attacks

Halt zero-day exploits with advanced protection

Consolidate, Evolve & Thrive

Get ahead and win the race with the GoSecure Titan® Platform


GoSecure Titan® Endpoint Detection and Response (EDR)

GoSecure Titan® Next Generation Antivirus (NGAV)

GoSecure Titan® Network Detection and Response (NDR)

GoSecure Titan® Inbox Detection and Reponse (IDR)

GoSecure Titan® Intelligence


GoSecure is a recognized cybersecurity leader and innovator, pioneering the integration of endpoint, network, and email threat detection into a single Managed Extended Detection and Response (MXDR) service. For over 20 years, GoSecure has been helping customers better understand their security gaps and improve their organizational risk and security maturity through MXDR and Professional Services solutions delivered by one of the most trusted and skilled teams in the industry.





 24/7 Emergency – (888)-287-5858