At the end of October, shockwaves rippled through the cybersecurity sector. Following 2020’s notorious Sunburst attack, the US Securities and Exchange Commission (SEC) charged SolarWinds and its chief information security officer (CISO) with fraud.
The Sunburst attack is one of history’s largest and most significant data breaches, spreading malware across major business organisations and US federal government bodies. The attack was orchestrated by Russian hackers who exploited flaws in SolarWinds’ network management software, a tool used worldwide across the private and public sectors.
The SEC decided it must act and, on October 30th 2023, filed a charge against the company. The SEC claims that SolarWinds “defrauded [its] investors and customers through misstatements, omissions, and schemes.” This, it is claimed, was done to hide the company’s “poor cybersecurity practices.”
Tim Brown, SolarWinds’ CISO, is singled out in the filing. The SEC claims that in October 2018, the company conducted an IPO with “only generic and hypothetical cybersecurity risk disclosures” on associated documents. Contrary to this public statement, Brown wrote in an internal presentation around the same time that SolarWinds’ “current state of security leaves [it] in a very vulnerable state.”
Those in the cybersecurity sector are reeling from this news — and for good reason. The charges have the potential to shape how the law interacts with CISOs and, with that, fundamentally alter their accountability and responsibilities.
Here at Assured Intelligence, we want to clarify the proceedings. So, we talk to a range of cybersecurity professionals to find out what impact the case will have on the industry, if and how it will change the role of CISO, and what the future holds.
This is the question on everyone’s lips: what will the fallout be from this news? How will the charging of Tim Brown impact CISOs?
“This latest SEC charge has brought into focus who is accountable and responsible for managing cybersecurity risk,” Manoj Bhatt, a cybersecurity consultant who has worked with Accenture and the Ministry of Justice, tells me. “More importantly [it shows] that the CISO role is not to be taken lightly.”
“CISOs have always been in the line of fire for the breaches that occur under their watch” Marc Lueck
He continues, saying that CISOs have been in constant debate about their ability to make business decisions to “address cybersecurity risks and vulnerabilities.” This SEC charge will, Bhatt believes, lead to the CISO becoming more active in decisions outside of IT.
Quentyn Taylor, the senior director of product, information security, and global incident response at Canon, comes at the news from another angle.
Taylor thinks that while the SEC’s case against SolarWinds will “remind [CISOs] of their responsibilities,” it won’t dramatically change the rules of the game. Although there may be some impact further down the line, he contends.
“Long term, I think it might change the industry,” Taylor says, “potentially for the good.” He suggests that groups representing information security personnel may begin offering legal and other insurance as part of their membership packages.
This idea of the SEC filing not being quite as dramatic as some feared is echoed by Marc Lueck, CISO EMEA, at Zscaler. “CISOs have always been in the line of fire for the breaches that occur under their watch,” he tells me.
However, Lueck believes the SolarWinds saga will bring clarity to the industry: “The CISO is a part of the business and not some backroom IT guy for whom the business is a distant relative.”
To put it another way, “guilty or innocent, this case proves that the CISO is part of the game.”
So far, the expert consensus is that the SolarWinds case will highlight the CISO’s importance and potentially deliver increased decision-making powers to those in the role. But what about the wider industry? How will this news impact hiring? What will it do for confidence among external stakeholders, such as investors or customers?
“There will be a higher demand for CISOs who have worked in listed or regulated companies” Stephen Khan
Stephen Khan, a cybersecurity professional who has worked with HSBC, GSK, and Siemens, thinks the SolarWinds scandal will create higher demand for CISOs “who have worked in listed or regulated companies.” This experience, he believes, shows they’re a business leader, not just a security expert, something that will become increasingly invaluable.
“There are only so many CISOs of a particular calibre to go around,” Khan says. Hiring them will become tougher and tougher. But if a company manages to do so? That appointment can boost investor confidence.
Bhatt broadly agrees. He says that as CISOs will be putting their personal and professional reputations on the line, they will demand “assurances that budgets, people, technology, tooling, and ability to inform business change” are under their control. This would be an undeniably good thing for those professionals.
Bhatt believes this will lead to higher wages, but there’s a downside: this may create an environment where “salaries alone are not going to allow companies to attract the best talent.”
There could be greater tension between CISOs and the executive team, where the former do all they can to avoid any risk, and the latter push against that for business reasons.
“It would not be surprising,” Bhatt tells me, “to see CISOs leaving their roles in the future because of a ‘disagreement with the board.’”
There’s a delicate balancing act between the positive and negative outcomes of the SEC’s charges. On the one hand, it makes the CISO role more accountable and valuable, meaning a qualified and experienced individual can have a positive impact on investor confidence.
On the other, it’ll become increasingly hard to hire reputable CISOs, and many will be willing to walk at shorter intervals. This could negatively impact customer sentiment and stock price.
When it comes to cases as large as SolarWinds, it can be hard to see the wood for the trees. CISOs are undeniably in positions of importance, but will the SEC’s charges fundamentally alter their accountability? Or is it business as usual?
“Any corporate officer has always had a responsibility to the sets of regulators the company is governed by” Quentyn Taylor
Lueck from Zscaler believes it’s closer to the latter. He tells me that the case doesn’t change much when it comes to CISOs’ accountability for security breaches. “The words a CISO uses in times of crisis are important,” he says, and “at the very least, this will elevate those words and ensure that corporate responsibility and crisis communication are aligned.”
Taylor from Canon holds a similar view. He says that “any corporate officer has always had a responsibility to the sets of regulators the company is governed by.” The only difference between now and then is that “the perception has changed.”
Countering these opinions, Khan believes the case will lead to “an increase in personal, legal, and professional accountability.”
This new world could see some CISOs struggle with the ramifications of their role, “especially if business and risk management are not their core skills.”
The experts are split on how the levels of accountability will change following the SolarWinds scandal, but they agree on one thing: life won’t get any easier for CISOs.
Ultimately, while the SolarWinds CISO being charged for fraud is shocking, it’s not something many should worry unduly about.
“I see this [news] as a maturing of the role rather than a change,” Taylor from Canon says.
CISOs have long held big responsibilities, and the coverage given to the SEC’s charging of SolarWinds should benefit them in the long run, as executives are likely to provide them with extra powers to fulfil their cybersecurity mandate properly.
In situations where this isn’t provided, many CISOs will have the option to resign and find more suitable employment, as the demand for suitably qualified individuals will most likely exceed the supply.
What this all does, though, is place the CISO and their team further into the centre of the company. “Like it or not,” Lueck from Zscaler says, “IT is the lifeblood of an organisation.”
And if companies don’t recognise this, they’re in for a tough few years.