Remember back in March when we advised CISOs to lawyer up? Yeah, we were right.
Yesterday’s SEC indictment of SolarWinds CISO Timothy G. Brown sends a chilling message to all CISOs, and rightfully so. We’ve parsed it and highlighted below the most important parts of the complaint to help CISOs understand exactly what this means for them and its implications.
The Time Frame
One of the key themes of the complaint is that SolarWinds’ initial public offering occurred in 2018, at the same time that it is believed the SUNBURST attack occurred, which persisted through 2020. As part of its IPO process and subsequent financial disclosures, SolarWinds made numerous statements about its cybersecurity posture and preparedness. The SEC alleges that these statements are false based in part on the cyberattack itself and internal statements from SolarWinds employees that the company faced numerous security challenges.
Internal Presentations As Evidence
Multiple internal presentations disagreed with the information included in disclosures and financial reports. These reports, according to the SEC, failed to accurately disclose the actual state of cybersecurity posture within SolarWinds. For example, engineers shared that SolarWinds did not have the capacity to detect remote access activity. None of these representations made it into any mandatory financial reports from the SEC regarding SolarWinds’ security posture and the risk that it represented to investors.
Failure To Escalate Equals Fraud
This portion is by far the biggest element of the SEC’s complaint against Brown that CISOs should focus on. The SEC’s Oct. 30 press release states:
“The SEC’s complaint alleges that Brown was aware of SolarWinds’ cybersecurity risks and vulnerabilities but failed to resolve the issues or, at times, sufficiently raise them further within the company.”
Note that we added the emphasis to the portion in bold. A CISO can’t secure a company alone. And a key part of the SEC’s complaint highlights this issue by alleging that Brown failed to adequately raise these issues internally, opting instead to minimize them in public disclosures, thereby defrauding investors.
This entire episode is frightening for security leaders … but if there is a silver lining to be found … it’s here. This is the SEC endorsing CISOs to stop being quiet about security flaws. Putting a spotlight on glaring cybersecurity flaws is no longer the nuclear option, per the SEC. It is rather the way for CISOs to avoid finding themselves in personal legal jeopardy for not raising those flaws loudly enough internally.
Is The SEC Scapegoating CISOs?
It certainly seems that way from the outside looking in. And much of determining whether this is true hinges on the above facts. Did Brown adequately raise these issues — and the severity — internally to other SolarWinds executives? If he did this in a way that other CISOs feel represents how they would do the same, then it should frighten each one of them. If he raised them but failed to persuade other leaders about their importance, that is also frightening. But if he concealed them or downplayed them from other executives, that is a different story, one that CISOs should factor in before questioning whether they should run — not walk — away from their current or future gigs.
Takeaways For Other C-Levels
Ignoring cybersecurity and failing to secure what you sell is not an option for publicly traded companies. So far, we only have the SEC’s side of events. But other tech leaders should pay special attention to this legal action, particularly details of Brown’s defense, because if we find that Brown did fail to escalate these issues and buried them, it looks terrible for him.
But this should also concern other C-levels and tech leaders such as CIOs and CTOs especially. Because tech leaders that work with cybersecurity leaders that escalate flaws only to have them ignored, deprioritized, or neglected may find themselves the next person charged by the SEC.
Meet Us At Security & Risk Forum 2023
Check out the agenda for our upcoming Security & Risk Forum, taking place November 14–15 in Washington, D.C. We’ll have 25 sessions led by Forrester analysts, including Jess and me, who will be available for one-on-one meetings during the event, as well.