CISOs on alert following SEC charges against SolarWinds
The Securities and Exchange Commission announced charges against SolarWinds and its CISO in October, but will it help improve transparency or simply scare infosec executives?
Listen to this article. This audio was generated by AI.
While the outcome of the Security and Exchange Commission's complaint against SolarWinds remains to be seen, infosec experts say the charges are likely to have a major impact on the role of the CISO going forward.
In late October, the SEC charged SolarWinds and its CISO Timothy Brown with fraud and internal failures related to the massive supply chain attack that was discovered in late 2020, which affected federal government agencies that used SolarWinds' Orion IT management software. The SEC alleged SolarWinds and Brown misrepresented the company's cybersecurity posture to shareholders in public statements. SolarWinds issued a rebuttal statement a week later denying the charges, though the statement did not mention Brown.
Now infosec experts are torn on where the blame should be placed. On one hand, vulnerability management, which is one issue addressed in the charges, is challenging for organizations of all sizes, especially as attackers increasingly leverage zero-day vulnerabilities. However, infosec experts also say the charges highlight the importance of improving an organization's cybersecurity posture and providing transparency into attacks, which is helpful for defenders.
Transparency challenges were further underscored in August when the SEC implemented a four-day reporting rule for publicly traded companies.
While increased transparency could be a positive outcome from the charges, infosec experts are concerned with the effect on CISOs. The sentiment was echoed by many in the industry, including Jeff Pollard and Jess Burn, analysts at Forrester Research. The pair co-authored a blog post in October titled "Forget Ghost Stories: CISOs Should Be Scared of the SEC," which highlighted one particularly important sentence from the SEC's Oct. 30 complaint.
Timothy Brown
"The SEC's complaint alleges that Brown was aware of SolarWinds' cybersecurity risks and vulnerabilities but failed to resolve the issues or, at times, sufficiently raise them further within the company," the SEC wrote in the complaint.
The SEC alleged that Brown's internal emails, which stated the "company's critical assets were very vulnerable," did not match investor reports around the time when Russian nation-state hackers breached SolarWinds. Pollard and Burns said it appears that the SEC might have been "scapegoating" CISOs, but the analysts believe the charges could help promote reporting transparency.
"This entire episode is frightening for security leaders … but if there is a silver lining to be found … it's here. This is the SEC endorsing CISOs to stop being quiet about security flaws," Pollard and Burns wrote in the blog post.
CISO scapegoating?
Jake Williams, an infosec professional and faculty member at IANS Research, also addressed the scapegoating issue but in relation to SolarWinds omitting Brown from its counterargument. While SolarWinds "categorially" denied SEC allegations that the company lacked adequate security controls prior to the Sunburst attack, refuted claims of a VPN vulnerability and argued that it submitted "accurate" SEC filings, there was no mention of Brown. That came as no surprise to Williams.
"They may be trying to scapegoat him, and potentially rightfully so," Williams told TechTarget Editorial. "In any case, I don't see how SolarWinds benefits by linking their defense to Brown. It seems likely he'll implicate other leadership in his defense. I doubt this will end amicably for either party."
Mark Bowling, CISO of ExtraHop Networks, also did not expect SolarWinds to back Brown. If they were protecting Brown, he said, the statement would have reflected that. Instead, the rebuttal statement emphasized that SolarWinds did not commit fraud, which Bowling interpreted as the company only looking out for itself.
"Some attorney wrote that and was more than happy to throw [Brown] under the bus," Bowling said.
He added that while he believes the charges against Brown seemed like an overreaction, the CISO does have a responsibility to make truthful public statements about the company's security posture. Bowling emphasized that SolarWinds is not being charged for the 2020 attack but for misleading investors about its cybersecurity posture.
"The pendulum has swung from the SEC being too lenient to now maybe being a little more aggressive. Do I personally think they're overcharging them? Yes. Do I think there are 500 other publicly traded companies out there that have misrepresented their cybersecurity posture in the past and on SOX [Sarbanes-Oxley Act] Section 404 reports? Yes. He's just the one who allegedly got caught," Bowling said.
Tim Morris, chief security officer for software company Tanium, said the case will be "historic" in terms of its effect on CISOs and security executives. He advised CISOs to be truthful in every aspect and ensure they're covered by the same [disclosure] policies as the leaders of the organization. "I do think it makes every CISO reevaluate what it is they're doing. The SEC new disclosure rules are coming out because they felt there was a failure there too," he said.
Based on the facts laid out in the indictment, Williams believes the charges are warranted and agreed that SolarWinds and Brown took steps to mislead investors. "The SEC's job is investor protection and they're clearly protecting the investor here," he said. "I think CISOs and publicly traded organizations are on notice now that they need to ensure their communications to the public about cyber risk are consistent with internal communications."
Like Bowling and Williams, Jon Marler, cybersecurity evangelist at VikingCloud, said it was not shocking that SolarWinds' statement left out Brown. Based on the complaint and press release from the SEC, Marler said SolarWinds has a long road ahead of them to respond to those specific charges against Brown.
"The SEC has a long history of holding executives accountable for leadership failures and mistakes that end up costing investors large amounts of money," Marler said in an email to TechTarget Editorial. "The government doesn't have a lot of levers to pull when it comes to cybersecurity. But when the outcome has a significant impact on investors, it makes sense that the SEC will initiate an enforcement action."
In 2022, SolarWinds agreed to a $26 million settlement in a shareholder lawsuit over the data breach. A Reuters report from 2021 cited an $18 million fallout cost in the first three months after the breach occurred. The SEC charges could potentially lead to further financial losses for the company.
TechTarget reached out to SolarWinds regarding any updates since the SEC announcement and subsequent rebuttal statement.
"We continue to dispute the charges against SolarWinds and our dedicated CISO, Tim Brown, and the interpretation of facts presented by the SEC on both parties. We are confident that the disclosures SolarWinds made were accurate both before and after SUNBURST, and Tim's actions were both commendable and performed in good faith," a SolarWinds spokesperson said in an email to TechTarget Editorial.
Calls for better cybersecurity hygiene
One of the biggest disputes between SolarWinds and the SEC pertains to cybersecurity standards. For example, the SEC's complaint accused SolarWinds of misleading investors by claiming it adhered to the NIST Cybersecurity Framework. However, SolarWinds said the SEC's accusation is inaccurate, which was based on a preliminary self-assessment for a completely different set of NIST standards.
Despite the dispute over the NIST Cybersecurity Framework, such standards could play an important role in the case and for other CISOs going forward. Marler said it's common for companies to know they have vulnerabilities and gaps in the cybersecurity posture but aren't willing to, or unable to, fully mitigate those risks.
Infosec experts often attribute security challenges to IT workforce reductions and a lack of visibility into a company's environment, which can make incident response extremely challenging. For example, it took a large corporation like SolarWinds several months to track the attack timeline to early 2019, though the company still hasn't determined how the attackers first gained access to the network.
Marler said a key issue for SolarWinds is that the SEC claimed the company did not have an adequate plan in place that prioritized the most significant risks facing the company. While patch management is difficult, industry experts and agencies like CISA always recommend prioritization of the most critical flaws and those that are under attack in the wild. That was one reason CISA launched the Known Exploited Vulnerabilities Catalog in 2021.
"It is extremely important for executives to know exactly what their cybersecurity posture is and be above reproach before making public statements that regulators can use against them," Marler said.
The charges also represent an increasingly challenging threat landscape that requires enterprises to adapt and respond quickly. A surge in ransomware attacks that employ more ruthless data extortion tactics is just one example of the new risks enterprises encountered over the last year.
Darren Shou, chief strategy officer for RSA Conference, said the charges highlight that security is not just an IT problem but a serious business issue as well. As attacks become more advanced, businesses face increased threats to their reputation, customer trust and financial performance, he said.
He added that CISO liability was one of the bigger topics submitted for this year's RSA Conference 2024. Discussions will focus on SolarWinds and other emerging cases in this space.
"The role of a CISO has been evolving to both operational and governance responsibilities with more focus than ever before on being proactive as possible," Shou told TechTarget Editorial.
Whether the charges are warranted, infosec experts agreed the case has raised concerns for CISOs across the board. Shou, who referred to the case as "uncharted territory," said all eyes are attuned to how this will play out.
James Turgal, vice president of cyber risk, strategy and board relations at Optiv, also observed aggregated worry from CISOs following the SEC's announcement. He added that being a CISO can be a thankless job despite the heavy responsibilities.
"It will have a chilling effect on a number of CISOs," Turgal said. "I've worked a lot of cases with the SEC, and it could just be the fact that they're filing it to make a statement and it will get negotiated out in a different way."
Arielle Waldman is a Boston-based reporter covering enterprise security news.
