Beginning as far back as 2019, network management platform SolarWinds was hacked by Russian actors who inserted malicious code into an update, compromising networks of what was thought to be thousands of customers, including local, state and federal governments. In 2023, the SEC charged the company and its CISO Timothy Brown with fraud and internal control failures. SolarWinds and Brown fought the charges, most of which were thrown out in July.
I talked to Derek Vadala, the chief risk officer at cybersecurity firm Bitsight, about how the case has impacted CISOs and the corporate view of cybersecurity. This conversation has been edited for length, clarity and continuity. It was excerpted in the Forbes CIO newsletter.
When the SolarWinds charges first came down, personally charging CISO Timothy Brown with fraud, what kind of impact did that have in the CISO community?
Vadala: There was a lot of concern in the CISO community because this was the first time that something like this had really happened in that part of the technology industry. That’s partly because the CISO role is relatively new. A lot of individuals in that role, even those who were in it for a long time and fairly seasoned veterans of cybersecurity and the CISO function, were surprised that the accountability in that particular issue was being placed on the CISO.
There were other voices in the security community that balanced that with the idea that when you are in a role that is at the executive level—prominent and with significant responsibility for protecting organizations, and ultimately investors and customers—you do bear some risk to being part of an investigation like this, and even potentially [charges]. But the majority of the reaction was concern for Tim, as well as concern for the broader community and the impact that it might have on the long term, making sure that we as a community had people who were qualified, competent, able to interact with executives and regulators that would be willing to be in that role given the change of dynamic.
Bitsight Chief Risk Officer Derek Vadala.
Bitsight, Getty
What immediate things did companies and CISOs start doing after the charges came down?
Companies immediately started looking at a few things. What has been our practice and process around disclosure of cybersecurity events, and do we have a robust, transparent process? Do we have all of the right people at the table to make those decisions when it’s a matter of cybersecurity or technology? Does it include the CISO?
The second thing I think that companies did was really look at their public-facing statements about cybersecurity, and make sure that they’re consistent with what the company believes it’s doing to protect the organization from cyber attacks and data disclosure and other factors. It’s important to recognize that the [charges were] about those disclosures and those representations that SolarWinds had made in various website publications. What most companies did at that point was reaffirm: We have a CISO or a person responsible for cybersecurity. We know who that person is. They are sufficiently represented in decisions around disclosure, and do we have a robust process for this? And then, do we have a good inventory of the places where we’ve made public statements or have persistent public material about this? Is it consistent with our current understanding, not only of the program, but also of the materiality and status of prior incidents?
In July, the majority of the charges were dismissed, including those against Brown, leaving the charges about disclosure that you just mentioned. Did that change the posture of how the IT community and CISOs were responding?
I don’t think it changed the mindset of the community in terms of the fact that this is now a significant issue CISOs need to consider in their continued employment and how that relationship with their employer works, in terms of being protected in these events: the company having the back of the CISO. There was certainly an immediate exhale from the security community. Even if you had variable views on what the right balance between accountability and the particulars of the SEC [charges], I think everyone felt for Tim and was relieved that at least part of this was settled. In my experience in the community, and even directly with Tim, there was tremendous support for him among the community, both as a CISO and as a person. There was a lot of relief.
I don’t think it’s really changed the discussion around what liability do CISOs have. How do they need to consider protecting themselves, both in employment agreements, as well as the need to consider professional liability insurance policies. If you look closely at what’s going on in that community right now, that’s where a lot of the focus is. As senior security professionals that are either in existing roles or considering new roles, do we understand the things that need to be in an employment agreement to protect us in the future? If there is an event that is deemed to be material, do we have access to the right attorneys potentially to review materials? Do we know who we would call if we were in an unfortunate situation like the one that affected SolarWinds and Tim, and do we need to consider some supplemental insurance? What’s available in the market?
This isn’t something that really has been widely discussed prior to a year ago, so the coverage for that type of professional liability insurance is not really saturated in the market. There are a lot of discussions about that now, including among some of the cyber insurance underwriters. If I’m that person, am I sufficiently covered by the company’s own [directors and officers] policies? To what extent do those policies cover me for certain claims or [charges] or other matters?
Understanding and navigating the details of that has been a major component of every CISO discussion, CISO conference, CISO working group, informal conversations over the last 18 months. This is now taking a reasonable amount of the agenda of those types of discussions and forums.
The initial SolarWinds charges seemed to mirror those for more traditional corporate fraud, in which a company’s CEO or CFO is also personally charged for their culpability and to hold a person accountable. In your career with cybersecurity, how culpable is the average CISO for security breaches?
It depends greatly on the company. Not all CISOs are the same. Not all companies view the CISO role as the same. The most progressive companies certainly think of that role as strategic, as a senior executive: if not part of the executive committee, certainly very close to it and regularly engaging with that committee. It varies by industry and it varies by size. I think that’s probably something the SEC needs to think about how to balance.
There are CISOs who are very engaged in the disclosure process and have complete authority in a company to manage incidents appropriately. There are also cases where the management and execution of that can be highly federated, and there might be multiple people. That’s why it’s important for the CEO and the executive team to really understand and lay out what are the decision-making authorities in the company around these matters, whether it’s disclosure, incident prevention, incident response. Those second two things are certainly going to be in the remit of the CISO, but the disclosure piece is a team effort, and ultimately the general counsel with the CEO and with advice from the CISO and others needs to be the person working through those disclosure processes.
One possible inference from the SEC’s action is that they’re putting companies on notice that the role is important. That’s certainly not how the broader community interpreted it, and perhaps it was not the most effective way to underscore this, but it certainly has caused a reset in thinking about the involvement of the CISO in these decisions, and certainly caused everyone to rethink the material that they’re putting out there, and making sure there’s consistency around that material.
To be fair, it is confusing because you have a governmental authority that does have regulatory and enforcement power, and they exercise those powers regularly for other matters, roles and areas. But this one is a little bit tricky because the organizations that are undergoing these types of events, they are victims. The companies are victims. The CISO is a victim. They are dealing with adversaries every day. And it’s really vital for the regulatory authorities globally to try to balance the fact that partnership is probably going to get more done here than moving toward enforcement and that adversarial tone of regulation.
There’s a bit of a dichotomy even in the federal government in the United States, because when you look at an organization like CISA and even some federal law enforcement organizations like the FBI, there’s extreme collaboration and support for the security community and CISOs and for helping industry prevent attacks, defend against attacks when they happen, respond to attacks when the defense was not successful. I think there can be a balance. We need to, as a community, along with those other law enforcement and federal agencies, try to work with the regulators to broker what that balance looks like.
What impact do you think this has had on the role of CISO in general? Are qualified candidates less likely to apply for roles, or are people less interested in pursuing this as a career goal?
I don’t think it’s been a deterrent. I’ve been a CISO at a Fortune 500 company. It is a great job. It’s fast paced, it’s exciting, it’s technical. It’s in an area of growth and demand. People want these jobs. People want the jobs underneath the CISO that will allow them to get into that role one day. But I do think it is creating a conversation about what is the worth of the role in the context of balancing the risk to the compensation, the reward, et cetera. I think that’s a healthy dialogue, and there’s certainly a lot of talk about that, but I don’t believe it has really lowered the demand for CISOs.
It has created a little ambiguity. Where you might see the pressure point that ambiguity creates is seasoned chief information security officers who have been highly successful at this for 20 to 30 years, in the later stages of their career, thinking: Do I want to continue to take on personal risk here? I do think that could have some chilling effects on the industry broadly, if some of those people decide to take a step back from some of those roles where we need them.
I think a lot of those individuals—even if they are thinking I’ve had a really good run here, I’m not going to do this day to day anymore, especially given the change in climate—most of them are working to help people in the community level up and get educated and become aware of and navigate this issue. There is a virtuous cycle of people who decide not to continue in the career for one reason or another, to help people who are either entering it or just trying to think about transitioning to that next step.
From where you sit, what do you see the SEC doing with cybersecurity cases like SolarWinds in the future? SolarWinds isn’t the only cybersecurity case that the SEC, which previously dealt with more traditional financial fraud, has pursued. Judgment has been mixed, with some going forward to settlements.
I’m not sure what the SEC will do, but I hope they have seen the community reaction here. I hope they have read some of the letters that have been submitted on behalf of Tim, and even in other similar and adjacent cases. I hope that they use that to balance how they might think about cases like this in the future. And I hope that they create more clarity on expectations.
From time to time, every company needs to make statements about their cybersecurity. Those statements are generated at a point in time. They’re reflective of management’s best assessment of the state of cybersecurity at the company. They are reflective of the CISO’s views of what the state of the company is. They tend to have input from a variety of programs and assessments that the organization is conducting on an ongoing basis to understand. And there’s an expectation in the market that companies have information about their cybersecurity programs available to everyone from consumers to other businesses that are engaged. Getting some clarity from the regulators on how they’re thinking about those statements—not the ones that go into the SEC disclosure filings, [but] statements that people make on their websites, on trust pages, on ESG and other pages—we really have to have clarity on what the balance is.
I think it’s important to continue to make statements like that and provide data about cyber practices in the interest of market transparency. We’ve made significant progress on that in the last decade. There are many more companies with trust centers and other places where people can go and understand what they’re doing from a cyber perspective, and I wouldn’t want to see that dialing back as a result of the SEC’s previous [charges], or what they might do in the future. If they could establish for the community, for the CISOs, what are our expectations here and how should you be thinking about a balanced view, that would be helpful.
Correction: We’ve updated this interview transcript to reflect that SEC charges are civil, not criminal. Additionally, SolarWinds provided the following statement regarding the number of impacted customers: “While we previously estimated that up to 18,000 customers could be affected, we now believe that the number of customers affected by SUNBURST is less than 100.”
link