The US Securities and Exchange Commission (SEC) this week announced charges against SolarWinds and its chief information security officer (CISO) for allegedly misleading investors about cybersecurity practices and risks in the two years leading up to its disclosure of a significant hacker attack.
The Texas-based IT management company in late 2020 disclosed a massive breach that resulted in malware being delivered to major organizations.
A few months after SolarWinds executives were notified by the SEC of potential enforcement actions related to this supply chain cyberattack, the agency has now announced charges against the company and its CISO, Timothy Brown.
The SEC claims (filing PDF) that SolarWinds’ filings between its October 2018 IPO and its disclosure of the breach misled investors by only mentioning “generic and hypothetical risks”, while Brown allegedly knew of specific cybersecurity problems and “increasingly elevated risks”.
The agency’s complaint accuses Brown of being aware of the company’s cybersecurity risks and vulnerabilities, but failing to resolve them. The SEC also claims SolarWinds made an incomplete disclosure in December 2020 when the incident came to light.
The charges are leaving CISOs across the industry spooked and reevaluating their roles.
Industry professionals have commented on the implications of the SEC charges for CISOs and organizations, and shared recommendations on how they can avoid ending up in a similar situation.
And the feedback begins…
Igor Volovich, VP of Compliance Strategy, Qmulos (additional comments):
“While most are focusing on Mr. Brown, the company’s CISO, the real story is likely less about purposeful misrepresentation or outright malfeasance, but rather an example of the divorced nature of cybersecurity from corporate risk, compliance, and regulatory functions typically managed by the Legal team. Despite the fact that the SEC is presenting the CISO’s internal reporting of security deficiencies, juxtaposed with SolarWinds contradictory regulatory filings disclaiming any knowledge of material deficiencies, as “evidence of malfeasance” and “shareholder fraud,” the more likely scenario is that none of the people responsible for corporate regulatory filings either understood or recognized the significance of reported security issues within the context of “reportable material deficiencies” as defined by the SEC. Whether that’s a matter of negligence or malfeasance is what the legal proceedings will seek to determine.
CISOs also need to be aware of special protections offered to corporate whistleblowers under the recently established DOJ Civil Cyber-Fraud Initiative and the False Claims Act, as well as similar measures and incentives offered by the SEC. Corporate security leaders should be cognizant of their own accountability and individual legal, including potentially criminal exposure in cases where they find themselves in the unenviable position of having reported significant security issues internally to little or no effect, while being simultaneously aware of inaccurate external reporting of corporate security posture in the form of regulatory filings, contractual representations, or inaccurate third-party assessments based on falsified internal data.
All corporate boards must take notice and recognize one simple truth: cybersecurity is not a technology function, cyber risk is risk, and security problems – especially systemic and persistent ones – tend to fall into the category of “reportable material deficiencies.” The SEC is putting every corporate board and officer on notice: plausible deniability is out, cybersecurity transparency is in, and everyone in the C-suite is accountable, not just the person with the courtesy title of CISO whose “C” is silent all other times until a breach or regulatory inquiry.”
Petri Kuivala, Chief Information Security Officer Advisor, Hoxhunt:
“Even if I strongly believe this SEC decision was correct and had to be made, it also pushes the companies who have a culture of “sweeping the problem under the carpet” to go even deeper with it. Because of that, I hope that the CxO community, together with their CISOs, CIOs, CTOs and other relevant stakeholders, have deep conversations about their approach in the future.
The CISO job is difficult, but so is any other job with a “C” in front of the title. This means that CISOs need to be capable of conveying truthful messages to decision makers without confusing them with all the nitty-gritty details. It’s difficult to be the bearer of bad news to your C-level and doing so requires an immense amount of preparation and data collection. That is what is expected from a CISO. They are decision makers and that comes with accountability.
All of this is easy to say thousands of miles away, in hindsight, and the situation can be more like “boiling the frog” instead of suddenly realizing one’s values are not aligned with the company’s.”
Agnidipta Sarkar, Vice President CISO Advisory, ColorTokens:
“This may very well end Tim Brown’s career, and will not bode well for the CISO role in the future. Considering that the CISO did send in reports and the leadership chose to act on some, would the CISO still be liable if someone else ignored what the CISO said? A lot of what’s in the complaint is true for almost all organizations. If what they reported was so bad, how did they likely pass FedRAMP audits for multiple years?
After this, the CISO role will perpetually be in ill repute. The reality is (and this has become a cliche now) that the cyber attacker needs to succeed only once, but the cyber defender needs to be successful every time. And this makes the CISO a very complex role. Unless one is on your toes, it is easy to suddenly find oneself at the mercy of external forces at a scale no other CXO is exposed to.
Every CISO candidate in the future will seek assurances, and some may be unwilling to be in those shoes. CISOs in the US will insist on a battery of lawyers and insurance and indemnity coverage and the same level of cover that a CEO gets. Maybe, and thinking positively CISO jobs will now be equally supported by the boards like the CEO is.
Trust me, if this creates a precedent, being a CISO would be a death wish. Will new job descriptions put a statutory warning – “CISO jobs can be extremely harmful for your health and your career, join at your own risk?” Time will tell and I will weigh that opinion after the dust settles on this.
And God forbid if you tread into OT cybersecurity…that is an entirely different level of complexity.”
Francesco Trama, CEO, Founder, PacketViper (additional comments):
“The SEC’s charges against SolarWinds’ CISO should be a wake-up call for the entire industry, but they risk becoming a death knell for the role of the CISO. By making an example out of one individual, the SEC is inadvertently sending a message: “Become a CISO at your own risk.” This is not just counterproductive; it’s dangerous.
It’s high time that Boards and CEOs step up to the plate. They need to be educated about the intricacies of cybersecurity and should be held equally accountable for failures. Cybersecurity is not an IT issue; it’s a business issue that affects the bottom line, brand reputation, and customer trust.
If the SEC’s actions serve to deter qualified individuals from becoming CISOs, we’re setting ourselves up for a future rife with preventable cybersecurity incidents. Instead of playing the blame game, let’s focus on creating an environment where the CISO is empowered, supported, and, most importantly, not set up to fail.”
George Jones, Chief Information Security Officer, Critical Start:
“This could have a chilling effect on other CISOs, causing them to be more cautious about providing inaccurate information or incomplete information to investors or the public. It could also lead to an increase in transparency and accuracy in reporting cybersecurity practices.
I believe this will heighten the shortage of qualified CISOs that already exists. The demand for skilled cybersecurity workers is high due to the increased importance in today’s digital world, but such legal actions can deter some individuals from taking on CISO roles or make them more risk averse.
If he was knowingly misleading investors, he should have been charged. There is some question as to how much he knew about the security gaps, and there could be plausible deniability, but I would expect to be acutely aware of cybersecurity gaps that exist in my purview and either accept them as a known risk or have a plan on the roadmap to remediate them.
In situations where there is a significant risk for an organization, it is the responsibility of the CISO to raise that risk to the CEO and Board of Directors for awareness. If the group accepts the risk, it should be recorded on the company risk register as a known item that was presented and accepted in its operational state. Having a Risk Governance Steering Committee allows an organization to socialize these issues and take a group approach to discussing potential risks and solutions, prioritizing risks, and achieving organizational buy-in on risk acceptance. The outcome of this committee is presented to the BoD for their review and consideration, allowing the CISO to provide highest level awareness and understanding of the landscape.”
Dave Stapleton, CISO, ProcessUnity:
“If the allegations prove to be accurate then my sincere hope is that this case, and others like it, become an example of regulatory oversight that leads to a material shift in security behaviors. It is far too common for security leaders to obfuscate risk to avoid scrutiny. The lack of real cybersecurity knowledge on executive teams and boards may make this kind of practice more commonplace because there is no one who can challenge the “reality” that is presented by CISOs.
These legal actions may deter some would-be CISOs, which is disappointing. No one demands perfection. No one is saying that risk must be reduced to zero. They simply require transparency and good faith efforts to secure sensitive systems and data. CISOs who are adequately supported by their executives and are empowered to speak the truth, even when there may be consequences to the business, have little to fear. The question is, how many CISOs truly feel that kind of support?
As CISOs we need to collectively demand more of ourselves and the organizations we serve. Let’s perform our own due diligence before accepting CISO positions. Is this organization serious about cybersecurity? Do they have a track record of doing the right thing even when the right thing is difficult? Have they proven their sincerity by ensuring that cyber and privacy risks are disclosed at the highest levels of the company? If the answer to these types of questions is “No” then we should act with integrity to challenge decision makers to do better.”
Jeff Pollard, VP, Principal Analyst, Forrester (additional comments):
“This entire episode is frightening for security leaders, but if there is a silver lining to be found it’s here. This is the SEC endorsing CISOs to stop being quiet about security flaws. Putting a spotlight on glaring cybersecurity flaws is no longer the ‘nuclear option,’ per the SEC. It is the way for CISOs to avoid finding themselves in personal legal jeopardy for not raising them loudly enough internally.
Ignoring cybersecurity and failing to secure what you sell is not an option for publicly-traded companies. So far, we only have the SEC’s side of events. But other tech leaders should pay special attention to this legal action, particularly details of Brown’s defense. Because, if we find that Brown did fail to escalate these issues and buried them, it looks terrible for him.
This should also concern other C-level executives and tech leaders like CIOs and CTOs especially. Tech leaders who work with cybersecurity leaders that escalate flaws only to have them ignored, deprioritized, or neglected may find themselves the next person charged by the SEC.”