One of many amazing aspects about the volunteers of the American Red Cross is how diverse and unusual each volunteer’s background can be. That is certainly the case of Mrunmayee Pradhan, who began volunteering with the Missouri-Arkansas region three years ago. Timing is everything: she moved from India to the US in 2019, eventually settling in the Bentonville, Arkansas, area.

She began her career as a lawyer, eventually broadened her skillset by mastering data analysis tools from Google, Microsoft, and Tableau and began using them for large scale workforce management and tracking applications. That came in handy for the Red Cross, and you read more about her story here.

Last month, the Securities and Exchange Commission proposed some new guidelines to promote better cybersecurity governance amongst public companies. They make for interesting reading, particularly in one area where the SEC is trying to track the level of cyber expertise on the boards of directors of these companies. They ask that companies disclose whether “any director has prior work experience in cybersecurity,” which includes a fairly broad range including if someone has been a CISO or has had any position that mentions security in its title, had any cyber certifications, or has specific cyber knowledge.

Now, just the way this is worded in the proposed rulemaking makes me very skeptical. My first impression is that anyone who admits to satisfying these criteria to the SEC will paint a target on their backs and will be blamed for any future threat or exploit. Then, what if I took an exam (like a CSSP or Security+) and didn’t pass? I still have some cyber knowledge. Does this mean I still have to disclose to the SEC?

The wording of the qualifications also implies (at least to me) that just about any Computer Science grad would probably have taken some infosec training (hope springs eternal) and would need to disclose this. I am not sure this satisfies the SEC’s intention.

But let’s get to the meat of the matter and address two important questions.

First, will these proposed rules motivate firms to hire any effective cyber experts as board members? My guess is probably not. At best, boards meet quarterly, and what is a board member supposed to do in between meetings if something is awry? Does this mean a CISO has a shadow reporting relationship to the cyber-aware board member? That is not a recipe for good corporate governance.

Here is a thought. A few years ago, I developed (somewhat tongue-in-cheek) a cybersec quiz that you can give your boss. It is easily repurposed for vetting your potential cyber-friendly board members, if you can get them to answer the questions truthfully. You may want to use that as a screening tool if you are going to expand your board of directors, or if you are going to have a separate “technical advisory board” that could be useful in directing your future digital and cybersec policies. (I have served in this capacity, BTW.)

Second, will having this kind of expertise make a difference in terms of better breach response? One of the other proposed rules by the SEC is to mandate a four-day turnaround period once a breach has been determined. That is probably more important than anything else in these proposed rules, especially as most firms have a culture of hiding a breach for as long as they can get away with it. How this turnaround period is measured isn’t really well defined either.

If you want to submit a comment before 5/22/23 on File No: S7-04-22, go to this page on the SEC’s website, scroll down the page and find this file number to bring up the appropriate form.

What skill does a retired journalist have in common with an American Red Cross disaster action team volunteer? This is not a rhetorical question: the two jobs both require you to listen to people carefully and be empathetic to their needs. This is the story about Jim Gallagher, who spent more than 27 years working for the St. Louis Post-Dispatch, mainly as a business reporter. “As a reporter you want to get people to open up to you, but that same skill in listening to people certainly helps when you are deployed. In both circumstances, you have to project sympathy,” he said. Both he and his wife have volunteered on a number of deployments.  He responded to the aftermath of Hurricane Ian in central Florida last fall.  Both helped out with those displaced by the California wildfires and helped ease the transition of unaccompanied minors crossing the southern border in 2021. In addition to his Red Cross activities, they also volunteer at a local food bank regularly.

You can read more about Jim and his volunteer activities on the Red Cross blog here.

About a month ago, Twitter removed its policies blocking Covid misinformation. This has led to the spread of various flights of fancy, many of which are dangerous if taken seriously. We all know why this was done and by whom. I have written about this topic before in 2020 in this blog post that I urge you to review. Sadly, the situation has gotten worse.

Today in the NYTimes is an article about how misinformation continues to spread across social media. This prompted me to examine the Covid policies of various social media platforms. Let’s take a look at them.

Interestingly, Facebook has the most specific policy set here, running to more than 4,000 words. They address specific false claims (I won’t repeat them here but it is a depressingly long list) and how the content can create potential harm to its users in the real world. The aim is to “reduce the distribution of content that does not violate our policies but may present misleading or sensationalized information about vaccines in a way that would be likely to discourage vaccinations.” That is an important point. One thing that I didn’t like was the way the policies were presented, with web links to other policies (such as bullying and hate speech) that are relevant but making it hard to track and digest.

YouTube has its policies here. Not quite 1500 words, it still goes into specific details about what content isn’t allowed. Again, I am not going into any details but some of this stuff — as with Facebook’s recitation — is just bonkers. Also in the policy is a description of the consequences if you do post this content. That is perhaps the most useful element: three strikes within 90 days and your channel is “terminated.” None of the other platforms have this spelled out.

TikTok has the least helpful information here. Their community guidelines pages has no mention of Covid, and this link (which is really more of a press release) is short on specifics.

Whether or not you agree with how and what the social platforms should do about Covid misinformation, the fact remains that vaccines — especially the Covid ones — save lives, and have lessened the impact of those who have gotten the virus. And spreading false claims about what can protect you from disease is just another way for things to “go viral,” sad to say.