The Securities and Exchange Commission (SEC) recently announced charges against SolarWinds Corporation and its chief information security officer (CISO), Timothy G. Brown. The charges include fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities. While these allegations have serious implications for the future of SolarWinds, they also highlight the importance of ethics and executive support for those in CISO careers.
We sat down with Mitch Evans, director of cybersecurity consulting, and Larry Kinkaid, manager of cybersecurity consulting, to gain insight on how these charges will affect not only SolarWinds but the role of the CISO moving forward. Let’s take a look at what they have to say.
What We Know About the Charges
Between Oct. 2018 and Dec. 2020, SolarWinds underwent a nearly two-year cyberattack named SUNBURST, where attackers managed to compromise its network monitoring and management tool Orion, targeting over 18,000 SolarWinds customers—including high-profile enterprises and U.S. agencies. The charges allege that SolarWinds and its CISO defrauded investors during this time by overstating the organization’s cybersecurity practices and understating or failing to disclose known risks.
“SolarWinds’s employees willfully provided false information to the cybersecurity firm investigating the incident, even going so far as to document their intent through internal messaging platforms,” said Evans. “Further, the CISO ignored a critical vulnerability that could result in a remote access compromise of critical systems without any detection by SolarWinds’s security teams. The CISO, after seeing the stock rise when the denials of any negligence went out to the public, sold his stock, seemingly ahead of an inevitable release of the facts we have now.”
“The CISO painted a false picture of the success of SolarWinds’s security teams. He failed to sufficiently raise the organization’s security issues to executive leadership,” said Kinkaid, adding, “It’s indicative of a corporate culture that valued self-orientation over integrity.”
“SolarWinds maintains a seemingly comprehensive trust center to demonstrate their security program. Unfortunately, this reflects poorly on artifacts that are being used by countless companies to verify third-party risk management (TPRM). Standards like ISO 27001 and SOC 2 reports are essential for assurance but aren’t bulletproof,” said Kinkaid, adding, “It appears that a shadow-box was used to obtain the assurances they needed from their audit partners. This is a good example of how security documents are only as good as the leadership that supports it.”
While we can’t predict the outcome of the charges, Evans added that “it seems like the evidence will be damning, specifically for the CISO involved. If the charges are upheld, I would expect some significant management and organizational changes at SolarWinds to prevent issues like this in the future.”
Liability and the Role of the CISO
The accusations lead to additional speculation of how CISOs will handle liability in the future. Kinkaid asked, “What would these charges look like if the CISO had done their job and reported these vulnerabilities to executives? Would that have made executive leadership liable and not just the CISO? Will CISOs need malpractice insurance? How will this affect the compensation of the CISO?”
“The charges are an unprecedented move that establishes accountability to the CISO role, sending a message to other publicly-traded companies that this kind of fraud or negligence will not be tolerated,” said Kinkaid.
“This case is different from the prosecution of CISOs who are doing their best but may not have support from executives or a sufficient budget to allocate appropriate resources for protecting assets,” said Evans. “In this instance, the CISO lied and profited from it.”
“I think this could result in additional liability charges for breaches but only when there’s damning evidence of negligence or absence of due care. Regardless, the incident is a good reminder to be honest and advocate for management support of security initiatives,” said Evans.
Establishing a cybersecurity vision that includes strategic objectives and alignment across teams can help reduce liabilities and strengthen accountability within the culture of your organization.
The Future State of the CISO—Ethics and Advocacy
So, how will the SEC charges affect the state of the CISO? While it may seem daunting for the future of the industry, Evans and Kinkaid suggest a silver lining.
“For me, the SEC charges against SolarWinds don’t change much because of the seemingly damning evidence of the CISO’s actions. It may have somewhat of a chilling effect on those looking to advance in a CISO career. Still, I think we should use this incident to emphasize the importance of security teams and programs and advocate for executive management’s investment in them,” said Evans.
Kinkaid said, “I could see CISOs leaving organizations due to lack of support from their leadership. However, optimistically, this could lead to CISOs having the leverage with their leadership teams to advocate for resources they need to adequately protect their environments.”
As for advice for CISOs, Evans said, “I would go to my CEO tomorrow and show them this story to leverage the charges as support for any resource constraints of my security teams.”
Evans added, “We CISOs should view this as something that will hopefully improve our industry and particularly executive support for security teams. As Weave’s CISO Jessica Sica said, ‘Don’t lie. Don’t cover up. And make sure you are remediating the most critical issues that affect your business.’”
BARR’s cybersecurity consulting services help organizations with the continuous management and advocacy for cybersecurity programs that guard sensitive information. Contact us for more information and to speak with a consulting specialist today.