By now, most in the cybersecurity industry are aware of the recent filing by the Securities and Exchange Commission (SEC) against Timothy Brown, the CISO at SolarWinds, as a codefendant in a complaint against the company alleging fraud and internal control failures.
This statement from the SEC explains the basis of its case: “…from at least its October 2018 initial public offering through at least its December 2020 announcement that it was the target of a massive, nearly two-year long cyberattack, dubbed “SUNBURST,” SolarWinds and Brown defrauded investors by overstating SolarWinds’ cybersecurity practices and understating or failing to disclose known risks.”
Brown isn’t the first CISO named in court filings. That dubious accolade likely belongs to the former CISO of Uber. But Brown’s inclusion in this more recent claim probably signals more litigation naming CISOs.
Filing suit against CISOs
In the SolarWinds filing, the SEC claims that Brown knew about SolarWinds’ cybersecurity risks and vulnerabilities and knowingly failed to resolve these issues or sufficiently raise them further within the company. The SEC alleges that because of his lapses, the company couldn’t provide reasonable assurances that its most valuable assets, including flagship product Orion, were adequately protected.
In a joint filing like this, where is the line between individual and company responsibilities and culpability? I’ve read the full complaint, and there are some things about this individual case that we should break down, but more importantly, I want to look deeper at what this means for CISOs now and what it could mean in the future.
Court of public opinion
Countless social media posts, opinion pieces, and blogs on this topic show extremely divided views in the cybersecurity community, including clearly expressed opinions by some of the most prominent players in the industry.
At one end of the spectrum are those who believe the SEC is completely out of line, something they passionately expressed with strong and sometimes profanity-laced language. At the other end of the spectrum, others support the SEC’s decision and use specific content from the filing to support their belief that Brown conducted fraud.
The filed complaint totals 68 pages and covers a lot of ground. I’ll leave the unraveling of all of that to the courts, but the depth of the content might illustrate the idea that more than one thing can be true at the same time.
Not the butterfly effect
The SEC complaint doesn’t signal a slight shift in the industry. Instead, it’s seismic. The aftermath will be immediate in some areas; others will be more like aftershocks that resonate for years. The waves will ultimately touch corporate counsel, cyber insurance providers, the board of directors, organizational leadership, and HR, but the most direct hits will be to the CISO role.
I expect to see the following outcomes.
CISO attrition and recruitment
There is going to be churn in the CISO community. I really don’t see any room for doubt on this. For CISOs already contemplating leaving their role, the SEC’s charges will only add fuel to their desire to get out. Others feeling pressure or low support from their board of directors or C-level management will likely strongly consider moving on now. I can confidently say that there will be attrition related to the CISO role, either by CISOs already in a similar position as Tim Brown or those who want to be sure not to head there.
Recruiting CISOs will become more challenging moving forward. Burnout, stress, and unsurmountable challenges riddle the cybersecurity industry. CISOs face those same difficulties in spades in a way that is unique to the role. Add in the fact that the SEC is heavily scrutinizing publicly traded organizations, and I don’t see younger cybersecurity executives jumping at the opportunity to become a CISO.
Increasing focus on cybersecurity disclosure and risk management
Organizations are scrambling to understand the updated SEC disclosure requirements. Your organization should be fully aware and aligned with the SEC disclosure requirements. I’d recommend taking that a step further.
At Converge, our Cybersecurity team is seeing a strong uptick in incident response tabletop exercises and other services acutely focused on disclosure requirements. I expect this trend to continue, and I advocate for organizations to prepare accordingly by conducting live fire drills and tabletop exercises. These projects help ensure that all personnel involved in an incident understand their role in disclosure requirements.
The SEC complaint has two defendants but identifies other individuals and the role they allegedly played. The SEC highlights multiple levels of negligence, disregard for risks, and efforts to conceal problems throughout the full complaint. Whether this indicates liability being distributed further within an organization remains to be seen.
Applying adequate disclosure but no more
This complaint originated with the SEC, but requirements around data and privacy breaches aren’t just applicable to publicly traded companies. Countless state regulations now govern the disclosure of incident details within days of discovering the breach.
The filing of the SEC complaint should be a lightning rod for organizations. Have a solid game plan in place to identify what should and should not be included in disclosure requirements. There was a stark difference in the level of detail that Caesars and MGM included in their recent ransomware incident disclosures. We believe that organizations should work closely with legal counsel to ensure only the minimum information needed is included in disclosures—just enough to meet the requirements demanded by the SEC. Less is more in these situations.
Where does the buck stop for security?
Organizations are insecure by nature. It takes a significant investment of time, money, and resources to establish an acceptable level of risk. The CISO should be at the heart of these investments with adequate control of the budget but isn’t the single person responsible for the success or failure of the organization’s security.
Responsibility extends throughout the organization, often lying directly in the highest echelon of the organization. The SEC claim specifically identifies the CISO role, with actions by others in the C-suite seemingly identified as “Company.” What could be missing from this detailed complaint is what interactions and communications occurred between the CISO and those who ultimately decide what and often who gets funding and support.
I believe that CISOs will demand more support from the board and other stakeholders and will work to put themselves into a more defensible position.
The CISO’s defensive stance
CISOs should have held a defensible position for the past two decades. While that may not have been historically afforded due to resource constraints, the SEC filing amplifies the need for CISOs to take a more proactive approach to ensure that happens.
From the field, we’ve seen customers in the CISO role take several approaches. The list below includes those methods plus our suggestions to help CISOs, current and future, reduce their risk exposure:
- Earn more accountability and support from the board, the C-suite, and other stakeholders. Keeping the board and executive leaders updated on current cyber attacks and the impact other organizations are experiencing on revenue, reputation, and resources should foster receptiveness for your initiatives.
- Provide regular reports illustrating the effectiveness of security measures or the lack thereof. Include risks that stakeholders should be aware of and use meaningful metrics to demonstrate the return on investment (ROI) and reduction in risk from implemented security strategies.
- Drive transparent communication with stakeholders, including senior management, the board of directors, and employees about the organization’s risk. The CISO is responsible for clearly informing everyone in the organization about current cybersecurity risks and initiatives. Each audience has different concerns and priorities, so tailor your communications to resonate with each. For the board and executives, translate technical jargon into business terms that highlight the potential impact of security measures or lapses on the organization’s bottom line, reputation, and goals.
- Get your house in order. Have or lobby for what’s needed to assess your security stance today and implement the policies, processes, and procedures to get you where you need to be. Implement security controls, develop incident response and disaster recovery plans, patch regularly, and test your defenses frequently. Often, it’s the basics left undone that lead to a breach.
- Work closely with legal counsel. Use this interaction to help evaluate your liability and ensure that D&O insurance coverage is available and adequate.
- Document! Anyone in a CISO role, regardless of support or resource allocations, needs to keep detailed documentation from discussions and decisions made by senior leaders. This can be a ledger of known and acknowledged risks to measure and address as resources provide, creating a bi-directional communication between the CISO and the Board of Directors. This communication can ensure adequate support for the security officer in the context of new and known risks.
Almost none of the CISOs I know have the full resources needed to do their jobs. It is possible to increase support, budget, and awareness with more accountability from executive leadership and solid communications with stakeholders.
What’s next for CISOs?
The CISO role will evolve differently in each organization, but this evolution must happen. CISOs need the appropriate seat at the leadership table for the right insurance coverage, planning, and communications to occur. Organizations need to empower security leaders, just as they empower executives in other positions, to inform board members and investors of key risk indicators.
The cybersecurity space no longer has room for complacency. CISOs need to be more capable, informed, and enabled than ever before to be successful. To do that, CISOs need to be more assertive to shed a traditional reactive stance and to embrace a proactive, risk-mitigation mindset. This will hold boards and other corporate stakeholders accountable for fortifying organizational defenses.
To learn more about maturing your cybersecurity program at the right pace for your organization, reach out to our cybersecurity consultants today.