Cold winds swept through offices of organisations as the U.S. Securities and Exchange Commission (SEC) brought charges against SolarWinds Corporation and its chief information security officer (CISO).
With one simple indictment, the lives of CISOs everywhere changed (even if they may not know it yet) as the consequences started to raise what may become the redefining of the CISO role.
This is the second time in recent memory that a CISO is being charged with a crime allegedly committed in the execution of their duties. The fallout from the SolarWinds breach and subsequent SEC charges against the corporation and its CISO has brought into focus a pivotal question: what does this mean for cloud-native security and the responsibilities of CISOs in today's landscape?
With input from some other CISOs, we look to understand what this means for the CISOs today and in the future.
The SolarWinds breach, discovered in late 2020, was an unparalleled cyber attack that invaded the software supply chain, resulting in a compromised update to the SolarWinds Orion software.
This tainted update was distributed to SolarWinds' clients, including several government agencies and corporations. It allowed hackers access to a wide array of sensitive data, leading to a widespread security crisis.
The recent SEC charges against SolarWinds Corporation and its CISO revolve around allegations of inadequate cybersecurity protocols and failure to disclose critical information to investors in a timely manner.
These charges underscore the significance of maintaining robust cybersecurity measures and the necessity of transparency in the aftermath of a security incident.
The SolarWinds breach and subsequent charges have generated a significant shift in how businesses perceive and approach cloud native security, specifically in how they mitigate software supply chain attacks.
One crucial implication of this attack revealed the pressing need for enhanced security measures in the software supply chain. This attack showed how an attacker could inject malware into an update delivered by a software vendor and compromise elements in trusted IT management software deployed by bypassing existing security measures.
Companies and CISOs specifically are now re-evaluating their security postures, implementing more rigorous protocols to safeguard against supply chain attacks and fortify cloud-based infrastructure. This means greater emphasis on scanning, continuous monitoring, and zero-trust security strategies.
This incident also spurred conversations around the accountability and responsibility of CISOs in ensuring the security of their organisations. CISOs are now faced with the mandate to not only fortify existing security measures but also to ensure swift and transparent communication in the event of a breach.
CISOs are at the forefront of departments that interact directly with potential threat actors while upholding the critical mandate to protect the company's data, employees and customers at all costs. Navigating this complex environment now means shouldering the weight of personal liability in addition to ensuring organisational security.
Jim Routh, board member, advisor and investor, and former CSO/CISO, shared his thoughts:
"There is the reality that when engaging in cybersecurity operational practices with threat actors the clarity of legal accountability is murky at best. CISOs lead functions that engage with threat actors through technical proxies and sometimes directly (for example: bug bounty programs) while using services from security intelligence firms that engage with threat actors daily. CISOs must navigate this 'murkiness' using guiding principles while now navigating the personal liability that comes with this."
The recent incident has amplified discussions on the accountability and responsibility of CISOs in guaranteeing the security of their organisations. They're not just tasked with bolstering existing security measures but are now compelled to champion swift and transparent communication in the aftermath of a breach.
As a result, Jim also points out the number of new areas that must be considered during a CISO negotiation process before an offer is made and compensation terms are resolved. Pointing also to the recent Uber verdict, he recommends that CISO's need to determine whether they are considered a company officer:
- Understand what level of indemnification coverage is offered (attorney fees for a representative from the company's law firm provided, attorney fees for a dedicated attorney for the CISO, and penalties paid for by the enterprise, including upon conviction.
- The current policy for regulatory and law enforcement notification? (Typically, the CISO is not accountable for the legal team doing the notifying, but this didn't help Joe). Jim shares more insights on this topic in a recent webinar: Uber Verdict: The CISO, The Law, and The Door!
To further complicate navigating information sharing. Jim adds: "The recent SEC action against Tim Brown sets a precedent that makes information sharing between regulatory bodies and the private sector much more challenging; a direct contradiction with efforts to improve information sharing between government entities and the private sector, where the majority of critical infrastructure resides."
Jim Routh quote: The role of a CISO has evolved considerably in the wake of the SolarWinds incident and the subsequent SEC charges.
CISOs are now tasked with a more strategic and all-encompassing role, encompassing not only the implementation of robust security measures but also being proactive in risk assessment and management.
One significant lesson from this case is the necessity of transparent reporting. CISOs and corporate leaders should establish a culture of openness in cybersecurity reporting, avoiding misrepresentations that can result in severe legal and financial consequences.
Additionally, there is a need for organisations to prioritise robust cybersecurity measures, not just to meet regulations but to actively defend against known vulnerabilities and emerging threats. Effective risk management and prompt resolution of known vulnerabilities, as well as alignment between internal assessments and external disclosures, are essential.
Aaron Weis, managing director of Google and former CIO at the U.S. Navy, shared his perspectives:
"This decision has significant implications for CISOs moving forward, emphasising the need for heightened vigilance, proactive risk management and transparent communication with stakeholders. Fostering a culture of cybersecurity awareness throughout the organisation is vital.
"This ensures that every employee understands their role in maintaining security. Finally, organisations must be prepared for incidents. Given the inevitability of cyber-attacks, having robust incident response plans in place is essential to minimise damage and enable swift recovery."
The SolarWinds incident and subsequent actions taken by the SEC have undeniably reshaped the narrative around cloud native security and the role of CISOs. The focus has shifted to emphasise the critical importance of cybersecurity practices for companies.
Beyond mere regulatory compliance, this case underscores the need for organisations to actively reduce risks and safeguard their reputation. CISOs, as key figures in this landscape, must take a leading role in this effort.
Aron Weiss quote: "As the landscape continues to evolve, companies will likely invest more in robust cybersecurity infrastructure and incident response mechanisms. CISOs will be at the forefront of this transformation, playing a pivotal role in steering their organisations towards a more resilient and secure future."
The SEC charges against SolarWinds Corporation and its CISO have acted as a wake-up call, prompting a re-evaluation of cybersecurity strategies and the responsibilities of CISOs. Aaron summarises the takeaways as follows:
- Elevated cybersecurity responsibilities: CISOs must recognise that their role extends beyond technical implementation to encompass broader aspects of cybersecurity governance, including risk assessment, vulnerability management, and incident response preparedness.
- Stronger internal controls: CISOs should collaborate with senior management and internal audit teams to establish robust internal controls that effectively identify, assess, and mitigate cybersecurity risks.
- Transparent risk disclosure: CISOs must ensure that cybersecurity risks and vulnerabilities are accurately disclosed to investors and other stakeholders, providing a transparent and realistic picture of the company's cybersecurity posture.
The incident has underscored the critical need for proactive and transparent security measures in the era of cloud native operations. Moving forward, businesses must adapt by strengthening their security protocols and empowering CISOs to lead the charge in fortifying their organisation's cybersecurity resilience.
The aftermath of the SolarWinds breach is a pivotal moment that propels us towards a more secure and vigilant future in the realm of cloud native security.