The latest development in the ongoing SolarWinds saga came this week when the Securities and Exchange Commission (SEC) announced it had filed charges against the company and its CISO, Timothy G. Brown. The complaint, made public on Oct. 30, accuses these two parties of defrauding investors by misrepresenting the company’s cybersecurity practices, not disclosing known risks, and misleading both investors and the SEC with respect to SolarWinds’ two-years-long SUNBURST cyberattack.
These are serious charges. If they are found to be true, the parties responsible must be held accountable. But that’s just the issue: exactly WHO is responsible for a company’s cybersecurity? And where does the buck ultimately stop? These are big, hairy questions, and for CISOs and other security leaders, this case could have major implications for these roles going forward.
The CISO’s role: Hard to define
The job of the CISO is one of the most ambiguous in the corporate world since its scope, responsibilities, team composition, and size vary by industry, country, and even company. There are a lot of balls to juggle, and sometimes it can feel like you’re trying to do it with one hand.
Given these ambiguities, the case against SolarWinds has me feeling trepidation and a bit self-reflective. I can’t help but think back to earlier times in my own career and wonder whether I made the right decision following this career path. For my fellow CISOs, this could have a significant bearing on how we do our jobs. It could impact CISOs’ ability to renegotiate their contracts, not to mention their ability to protect themselves and their families from the repercussions of the concerns and risks they’ve raised that leadership might have deemed “acceptable” or outright ignored. It could also mean fewer talented CISOs want to work for publicly traded companies.
This case does remind me a bit of the Uber case, in which that company’s former CISO was found guilty of intentionally covering up a breach. In that instance, even though the charges were felony-level and the prosecution asked for more than a year’s jail time, the judge gave the CISO three years’ probation. However, the judge made it clear that it was the circumstances of this case that called for leniency and that future CISO offenders may not get the same treatment.
At the time, many CISOs saw that judgment as an unfair distribution of responsibility and liability versus the business, which ultimately owns the risks. And given that it’s already a difficult job prone to burnout, the threat of jail time and/or costly fines certainly doesn’t do much for the role’s reputation.
Yet given these market trends and industry challenges, the role of CISO is more strategically necessary than ever before. How then do we encourage others to pursue this path amid these expanding concerns?
Smart moves for CISOs
The silver lining of all of this? CISOs can use this as an opportunity to get more buy-in or support from their executive teams and boards. It’s a good time for CISOs to review their contracts and cyber insurance policies to ensure they’re fully covered. They should also ask their general counsel what would happen if an investigation were to be opened. And they should make sure they’ve brushed up on and are adhering to the SEC’s new disclosure rule.
Another smart move is to start a risk register and document everything. If you’re a CISO and don’t know how to create or maintain one, ask for support. Audit, risk, and GRC teams, networking groups, and others are out there and willing to help. Start documenting risk decisions being made and what your recommendations are to mitigate the risk. Establish governance processes to periodically revisit those risk decisions, depending on the residual risk exposure.
Is it time for CISOs to lawyer up?
It might even be the case that some CISOs may need to retain personal legal counsel moving forward, but it’s still early days. This is something I have heard many of my peers say they are looking into to protect their interests and trying to understand in terms of the associated costs.
The question that really needs to be answered and understood is: How many other corporate executives require their own external counsel, and what does that say about the direction of accountability for corporate goals and objectives? Most security teams are treated as cost centers versus value add, which is a mistake. Security is expected by default and is seen as a differentiator in the market. Investments in security help build trust and confidence in brands and products.
Proceed with caution
To better enforce proper security postures and policies within a company, CISOs should establish a governance forum to ensure executive leadership is aware of the decisions being made at other levels in the company. This not only provides transparency but also allows the executive team to override those decisions.
Depending on how this particular court case works out, the role of CISO could become less desirable. That, in turn, could affect the talent pool of those wanting to become a CISO one day. The challenge will be holding the business decision-makers accountable since the CISO does not own security risk; it’s a shared responsibility.
I’ll be keeping a close eye on this case since the repercussions for my role could be impactful, and I’ll continue following my own recommendations for keeping my company and my role safe.
For more information on how companies handle incidents, with insight and tips for improving your security posture, download The SANS 2023 Incident Response Survey.