In a development sparking chatter and debate through the cybersecurity world, the lawsuit filed by the the U.S. Securities and Exchange Commission (SEC) against the Chief Information Security Officer (CISO) of SolarWinds is leaving CISOs across the industry spooked and reevaluating their roles.
The lawsuit alleges that former SolarWinds CISO Timothy Brown failed to disclose critical information regarding the massive cyberattack on the company’s software supply chain that occurred in late 2020. The complex attack, widely attributed to state-sponsored Russian hackers, compromised the networks of numerous government agencies and corporations that relied on SolarWinds’ products. The breach was a significant event in the world of cybersecurity, leading to a frenzy of investigations and regulatory scrutiny.
The SEC’s lawsuit is a rare instance of a regulatory body targeting a CISO for alleged mismanagement of cybersecurity risks. The suit claims that the former CISO was aware of the vulnerabilities in SolarWinds’ systems but did not disclose them adequately to the company’s investors, leading to misleading statements in SolarWinds’ filings with the SEC.
Industry experts have expressed mixed opinions on the SEC’s lawsuit. Some view it as a necessary step toward holding CISOs accountable for their actions or inactions when it comes to cybersecurity. They argue that CISOs play a crucial role in safeguarding a company’s digital assets and must be transparent with both their organization and regulators about potential threats.
“The SEC litigation against SolarWinds is going to do more to advance security than another decade of breaches would,” Jake Williams, a prominent cybersecurity expert wrote in a post on X. “CISOs are often beaten into submission under threat of losing their jobs. The SEC gave them the holy hand grenade to fight back against any pressure to mislead.”
However, others, including SolarWinds itself, argue that this lawsuit sets a concerning precedent. They fear that CISOs may become hesitant to share information about cyber threats within their organizations, worried that any disclosure might open them up to legal action. This, they say, could hinder the industry’s ability to effectively respond to cyberattacks and protect sensitive data.
“The SEC’s charges now risk the open information-sharing across the industry that cybersecurity experts agree is needed for our collective security,” Sudhakar Ramakrishna, President and Chief Executive Officer of SolarWinds, noted in a blog post addressing the charges. “They also risk disenfranchising earnest cybersecurity professionals across the country, taking these cyber warriors off the front lines. I worry these actions will stunt the growth of public-private partnerships and broader information-sharing, making us all even more vulnerable to security attacks.”
In response to the lawsuit, many CISOs and cybersecurity professionals will be taking a closer look at their own roles and responsibilities. Many will be consulting with legal teams to ensure they have a clear understanding of the potential legal risks associated with their positions. Others will surely be revising their disclosure practices to strike a balance between transparency and potential liability.
The SolarWinds lawsuit has highlighted the evolving nature of CISOs’ responsibilities. No longer confined to just managing technical security measures, CISOs are increasingly expected to be adept communicators, translating complex cybersecurity threats into language that their executive teams, boards, and regulators can understand.
“The headline here is in paragraph 10 of the legal complaint: the commissions and false statements about security would have violated securities laws even if SolarWinds hadn’t been targeted. That they were targeted only served to highlight the issues,” Williams told SecurityWeek.
“CISOs, especially those at publicly traded companies, should take stock of their security programs and ensure that what’s being communicated to the public is rooted in reality rather than spin and wishful thinking,” added. “For those in privately held organizations, the SEC is setting a new standard for security disclosures with this lawsuit. Don’t be surprised to see that standard used in litigation if you make false, incomplete, or misleading statements about security to customers or business partners.”
It remains to be seen how the lawsuit against the former SolarWinds CISO will unfold and what implications it will have for the cybersecurity industry as a whole. Regardless of the outcome, it serves as a stark reminder that the role of CISOs is continually evolving, and they must navigate a complex landscape of legal and regulatory challenges.