Connect with us

Hi, what are you looking for?


CISO Strategy

Cybersecurity Leaders Spooked by SEC Lawsuit Against SolarWinds CISO

The SEC’s lawsuit against the CISO of SolarWinds is leaving CISOs across the industry spooked and reevaluating their roles.

CISOs Spooked by SEC Lawsuit against SolarWinds CISO

In a development sparking chatter and debate through the cybersecurity world, the lawsuit filed by the U.S. Securities and Exchange Commission (SEC) against the Chief Information Security Officer (CISO) of SolarWinds is leaving CISOs across the industry spooked and reevaluating their roles.

The lawsuit alleges that SolarWinds CISO Timothy Brown failed to disclose critical information regarding the massive cyberattack on the company’s software supply chain that occurred in late 2020. The complex attack, widely attributed to state-sponsored Russian hackers, compromised the networks of numerous government agencies and corporations that relied on SolarWinds’ products. The breach was a significant event in the world of cybersecurity, leading to numerous breaches, a frenzy of investigations, and regulatory scrutiny.

The SEC’s lawsuit is a rare instance of a regulatory body targeting a CISO for alleged mismanagement of cybersecurity risks. The suit claims that SolarWinds’ CISO was aware of the vulnerabilities in systems but did not disclose them adequately to the company’s investors, leading to misleading statements in SolarWinds’ filings with the SEC.

Industry experts have expressed mixed opinions on the SEC’s lawsuit. Some view it as a necessary step toward holding CISOs accountable for their actions or inactions when it comes to cybersecurity. They argue that CISOs play a crucial role in safeguarding a company’s digital assets and must be transparent with both their organization and regulators about potential threats.

“The SEC litigation against SolarWinds is going to do more to advance security than another decade of breaches would,” Jake Williams, a prominent cybersecurity expert wrote in a post on X. “CISOs are often beaten into submission under threat of losing their jobs. The SEC gave them the holy hand grenade to fight back against any pressure to mislead.”

However, others, including SolarWinds itself, argue that this lawsuit sets a concerning precedent. They fear that CISOs may become hesitant to share information about cyber threats within their organizations, worried that any disclosure might open them up to legal action. This, they say, could hinder the industry’s ability to effectively respond to cyberattacks and protect sensitive data.

“The SEC’s charges now risk the open information-sharing across the industry that cybersecurity experts agree is needed for our collective security,” Sudhakar Ramakrishna, President and Chief Executive Officer of SolarWinds, noted in a blog post addressing the charges. “They also risk disenfranchising earnest cybersecurity professionals across the country, taking these cyber warriors off the front lines. I worry these actions will stunt the growth of public-private partnerships and broader information-sharing, making us all even more vulnerable to security attacks.”

In response to the lawsuit, many CISOs and cybersecurity professionals will be taking a closer look at their own roles and responsibilities. Many will be consulting with legal teams to ensure they have a clear understanding of the potential legal risks associated with their positions. Others will surely be revising their disclosure practices to strike a balance between transparency and potential liability.

Advertisement. Scroll to continue reading.

The SolarWinds lawsuit has highlighted the evolving nature of CISOs’ responsibilities. No longer confined to just managing technical security measures, CISOs are increasingly expected to be adept communicators, translating complex cybersecurity threats into language that their executive teams, boards, and regulators can understand.

“The headline here is in paragraph 10 of the legal complaint: the commissions and false statements about security would have violated securities laws even if SolarWinds hadn’t been targeted. That they were targeted only served to highlight the issues,” Williams told SecurityWeek.

“CISOs, especially those at publicly traded companies, should take stock of their security programs and ensure that what’s being communicated to the public is rooted in reality rather than spin and wishful thinking,” he added. “For those in privately held organizations, the SEC is setting a new standard for security disclosures with this lawsuit. Don’t be surprised to see that standard used in litigation if you make false, incomplete, or misleading statements about security to customers or business partners.”

It remains to be seen how the lawsuit against the SolarWinds CISO will unfold and what implications it will have for the cybersecurity industry as a whole. Regardless of the outcome, it serves as a stark reminder that the role of CISOs is continually evolving, and they must navigate a complex landscape of legal and regulatory challenges.

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

SecurityWeek talks to Chief Information Security Officers from, FreedomPay, and Tassat about their role and experience as CISOs.

CISO Conversations

U.S. Marine Corps and SAIC CISOs Discuss the Differences Between Government and Private Industry

CISO Conversations

While the BISO might appear to be a new role, it is not – and understanding its past provides insights into its present.

CISO Conversations

SecurityWeek talks to Dennis Kallelis (CSO at Idemia) and Jason Kees (CISO at Ping), two of industry’s identity giants. The idea, as always, is...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Conversations

SecurityWeek examines the role of the virtual CISO in a conversation with Chris Bedel and Greg Schaffer.