Ever since the Securities and Exchange Commission (SEC) disclosed its charges against the SolarWinds Corporation and its Chief Information Security Officer (CISO) Timothy Brown, relating to fraud, weaknesses in internal cybersecurity controls, and more, the cybersecurity industry has been in a state of contentious debate. Some contend the company and its CISO earned the charges from the SEC, while others argue the charges are misplaced on the CISO and show a fundamental misunderstanding of the role of the CISO.
"Practically speaking, this is less game-changing and more supports the reality that cybersecurity is very much on the path, if not already there, of being a recognized element of an organization's fiduciary responsibilities," says Scott Kannry, CEO at cyber risk management and quantification software provider Axio. "And that puts the individual ultimately responsible for cybersecurity on the same plane as CFOs, CEOs, and other Ds and Os [directors and officers] of the organization," Kannry says.
"Practically speaking, this is less game-changing and more supports the reality that cybersecurity is very much on the path, if not already there, of being a recognized element of an organization's fiduciary responsibilities."
The SEC's complaint centers on the government's belief that the company defrauded investors by failing to accurately disclose its cybersecurity risks and exaggerating its cybersecurity readiness. "SolarWinds' public statements about its cybersecurity practices and risks painted a starkly different picture from internal discussions and assessments about the Company's cybersecurity policy violations, vulnerabilities, and cyberattacks," the complaint reads.
Essentially, the SEC alleges SolarWinds and Brown deceived investors by downplaying known security weaknesses and failed to adequately disclose the full nature of the SUNBURST attack in SolarWinds’ 8-K filing in December 2020. The SEC's complaint also alleges, in addition to other reporting and internal controls provisions, that SolarWinds and Brown violated the antifraud provisions of the Securities Exchange Act of 1934 and the 1933 Securities Act.
The reaction from the cybersecurity industry has indeed been mixed. Many argue that SolarWinds and its CISO should face the consequences for their actions leading up to and throughout the SUNBURST attack. In contrast, others contend it sends a chill and harms the ability of CISOs to manage cyber risks.
"A key question to ask is whether you [as the CISO] want this responsibility (and burden) that is now no different than the CFO being the one responsible for the balance sheet," Kannry asks. "If yes, it is now critically important to be reasonably informed of cyber risks the organization faces via a means that is relatable to investors. And subsequently make decisions based on such understanding, in an informed, defensible, and consistent manner.
"If the answer is no, the organization needs to appoint someone to bear this burden who is responsible for the understanding and strategy development, and then working hand in hand with the technical leader to execute on that strategy," Kannry says.
Others contend that the SEC’s actions show the agency doesn’t understand the role of the CISO and wrongly singles out the CISO’s office. Andrew Jaquith, former security analyst and former CISO at international law firm Covington & Burling LLP, says he’s spoken with numerous CISOs who have expressed frustration at the SEC actions. "It's too cute to say, ‘Just do a good job, and you'll have nothing to worry about.’ Sure, that's easy in hindsight—especially in this case. As if budgets to fix things were unlimited, risk identification was complete and accurate, risk appetites were zero, customers were infinitely patient, and perfect transparency on 10Ks was possible or even desirable. That's not reality," Jaquith says, describing the general feeling among the CISOs with whom he’s spoken.
"Most CISOs both represent their programs externally (business-focused) and operate and improve internally (risk-focused). There's always work to do, much of it important or urgent. That doesn't give them license to lie. But CISOs can't magically divine what is ‘material’ to a shareholder. By targeting Tim [SolarWinds CISO] personally, to the exclusion of others, that is effectively what the SEC is saying he should have done. It's rule-making in slow motion," he adds.
Others assert that the complaint does not reflect reality and makes the CISO role impossible to execute. "The public company CISO role looks untenable," says Walter Haydock, founder and CEO at the AI cybersecurity firm StackAware. Haydock contends that the recent legal actions against Uber's and SolarWinds’ CISOs require significantly more authority be placed in the hands of the CISO to allow the role to be more workable, including the unilateral power to disclose actual, attempted, or suspected loss of data; unilateral authority to make SEC disclosures of material cybersecurity incidents without delay, the veto authority on all SEC filings, and the ability to override risk acceptance decision and commandeer engineers to fix underlying issues.
"If the CISO is accountable for proper disclosures, then he needs to be able to make them whenever he wants," he says. "The SolarWinds CISO was charged in his personal capacity because [in] ‘its filings with the SEC [pre-breach]...SolarWinds allegedly misled investors by disclosing only generic and hypothetical risks at a time.’ If the CISO is accountable for SEC filings, they will need his sign-off," he added.
SolarWinds, its CISO, and the SUNBURST attack have garnered so much attention because the attack affected many U.S. government agencies and large corporations and is believed to have been conducted by Russian state-sponsored hackers. SUNBURST is considered one of the most far-reaching cyberattacks against U.S. interests ever.
The attack was executed through the exploitation of SolarWinds' Orion monitoring and management software and malware being injected into the Orion software. In 2020, when customers updated their systems, a Trojan horse was clandestinely injected into their environments. The total impact caused by the SUNBURST attack remains unknown.
"At the end of the day, the security leader and organization that can demonstrate a well-informed understanding of the risk and a reasonable and defensible decisioning trail, even after a significant event happens, realistically should not have anything to worry about. They've fulfilled their fiduciary responsibilities. Those that can't, or even worse, intentionally act otherwise, have major cause for concern. And that's the reality of cyber as a risk. When SolarWinds has its day in court, we'll find out which camp they really were in," Kannry says.
That's likely so, but it's small comfort to CISOs who must execute their work today without, in all likelihood, possessing the power to manage risk in the way the SEC now demands but being held personally accountable. In contrast, executives and business leaders with as much responsibility for the organization's risk management efforts and effectiveness are not held to the same standard.
George V. Hulme is an award-winning journalist and internationally recognized information security and business technology writer. He has covered business, technology, and IT security topics for more than 20 years. His work has appeared in CSOOnline, ComputerWorld, InformationWeek, Security Boulevard, and dozens of other technology publications. He is also a founding editor at DevOps.com.