Skip to main contentSkip to navigationSkip to search
Rainbow trout and regulatory compliance


Alex Gambill | January 24, 2024  I  4 min read

What Do Rainbow Trout Have to Do with the New SEC Cybersecurity Regulation?

The serenity, solitude, and deafening silence of the river rushing past your knees, surrounded by snowcapped mountains while fly fishing is tough to beat. The beauty that engulfs your senses slowly lulls you into a daydream sequence. Trout aren’t super active in the winter, so the expectation of a catch is minimal. You slip further into your mind and then…BOOM! Fish on! You’re suddenly jostled from being alone with your thoughts, fighting to land what’s sure to be a nice fish – they usually are in the winter months.

But what does this have to do with security?

Make no mistake, there’s nothing serene, solitary, silent, or even remotely enjoyable about regulatory requirements. They’re an important and necessary component of the daily lives of practitioners and services providers. The commonality is that we’re in a daydream sequence when it comes to SOX 404. We’ve become desensitized to it because it’s overloaded every aspect of our conversations, conferences, social media feeds, and vendor relationships. We’ve been bludgeoned with content targeting GDPR and other similar privacy regulations – and that’s just scratching the surface. Fast-forward to the here and now. We’re standing in that river of regulatory compliance, desensitized to the reality that a beautiful, native rainbow trout could be on our line at any moment.

In the world of regulatory compliance, that trout is the new SEC Cybersecurity Regulation.

Much like me scrambling to set the hook and strip line, we’re all in a position of needing to quickly rotate to address the newest requirements passed down from the SEC – whether we’re ready or not..

At a high level, the goal of the new requirements is enhancing the cybersecurity practices of publicly traded companies’ as they relate to risk management and governance, while increasing transparency around cybersecurity events. Specifically, an organization must provide a comprehensive disclosure of its processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats.

But let’s not forget about our friends at privately held companies. You may be impacted as well, particularly if you’re looking to interoperate with publicly traded companies from a vendor, partner or other 3rd party relationship perspective.

Rainbow trout and regulatory compliance

Rather than dive into the specifics of what organizations should be doing, let’s start with a few questions you will want to consider over the coming weeks.

  1. Who’s on first? Have you identified the right team with the right expertise to assess and manage cyber-related risk?
  2. When was your last risk assessment and how does it tie back to your risk and controls framework – specifically where you’ve identified cyber-related risks & controls?
  3. How are you proactively managing the potential for realized risks and the quantification of those risks within your key enterprise applications?
  4. What level of automation and technology-enabled processes do you have to empower your team to limit taking on a reactive response?
  5. What processes are in place to identify, manage and mitigate material risks from cybersecurity threats associated with the use of any third-party service providers?
  6. How are your existing cybersecurity processes integrated into the overarching organizational risk management processes?

If these questions have you thinking about technology-enabled processes for identity security, access governance, cloud security,customer identity management, and privileged access, then you’re on the right track.

2024 has arrived and so have the new challenges and opportunities – cheers to avoiding cyber threats, tight lines and more than a few moments of serenity, solitude and deafening silence in the middle of a remote mountain stream.

Alex Gambill, Director, Application Security & GRC


Alex Gambill, Director, Application Security & GRC Advisory

With more than 14 years of experience in the identity, application security, and controls space, Alex has helped numerous Global 2000 and Fortune 500 organizations develop and deliver their enterprise application security, access controls, and identity initiatives to support governance, risk, and compliance frameworks.  

To hear more from Alex, follow him on LinkedIn.

Get in touch

Think we could help your business deliver on technology’s promise? We think so too. Drop us a Line, and we’ll get back to you in a heartbeat.