Getty Images

Feature

Watch your words: Tim Brown's advice for CISOs

During RSAC 2026, Tim Brown discussed the SolarWinds breach, his SEC indictment and the critical need for communication policies.

Sharon Shea
By
Published: 27 Mar 2026

"Anything you say can and will be used against you."

As the first CISO personally indicted in a civil lawsuit, Tim Brown knows all about how what he and his colleagues said -- be it industry language or benign jokes -- could be used against him and his company, SolarWinds.

Brown was the CISO at SolarWinds when the infamous 2020 supply chain attack occurred. Nation-state hackers had injected malicious code into SolarWinds Orion updates, enabling them to infiltrate thousands of organizations worldwide, including government agencies and private companies, and conduct cyberespionage.

What ensued was not only what is widely considered the first large-scale, highly sophisticated supply chain attack executed through a trusted vendor, but also a data discovery and interrogation by the SEC unlike any Brown had ever imagined, given he knew he had nothing to hide.

In October 2023, SolarWinds and Brown were charged with fraud for misleading investors regarding cybersecurity risks and internal control failures. After a five-year process, the charges against the company and Brown were ultimately dropped, but not before Brown learned some eye-opening lessons about communications, interpretations and what truly can and will be used against you.

Don't share too much

In the days and months following the 2020 breach, Brown shared more details with the public than many companies might. During an RSAC 2026 Conference presentation, Brown, currently general partner and CISO in residence at venture group Team8, admitted that the safest move -- at least in terms of his own liability -- would have been to stay silent. But, given public scrutiny of the incident, that would probably have put the company out of business.

"We got into a rhythm of sharing and sharing and sharing, and it really helped our process," Brown said. He explained that it enabled the company to educate the industry about nation-state attacks and their tactics, as well as to share the steps it was taking to build cyber resilience.

But sharing too much isn't always a good thing. According to Brown, his openness was a driving factor in the SEC's investigation -- in which it seized SolarWinds' internal records, devices and communications -- and led to his and the company's ultimate indictment.

Watch what you say

The first year of the investigation, the SEC collected data to build a case. It gathered company communications and emails, and asked Brown for information from his phone, including WhatsApp and Signal messages.

"One of my naïve beliefs at the beginning was somebody was looking for the truth," Brown said. But, he added, he soon found out that no one was looking for the truth, they were searching for enough information to bring a compelling case to the enforcement division.

During the investigation-gathering and investigation phases, Brown was struck by which types of communications were called into question.

For one, industry knowledge was misunderstood. Emails among him and the CTO and CIO often used "continuous improvement," for example -- a well-known phrase in the IT industry. The SEC questioned how they could possibly be "continuously improving."

The SEC also asked why the company had an identity program that lasted multiple years. As any CISO knows, identity programs are ongoing initiatives that only grow and evolve -- they never "end." Brown said he was asked if he was incompetent.

"Normal operating procedures became proof, from [the SEC's] perspective, of negligence," Brown said. He cited an internal audit report that found five incidents of misconfigured access controls. According to the SEC complaints, this was a "systemic issue" -- despite the audit also reporting that the company had 30,000 properly configured access control records, and that it caught these five misconfigurations.

At the time, Brown tried to explain himself to the SEC -- which he said only led to further problems.

"One of the mistakes I made during our first initial interviews and information-collecting by SEC policy folks was that I tried to teach them what software engineering was, what a security team does, what the process was -- they accused us of collusion," he said.

Another thing that alarmed Brown during the investigation was how some communications were taken out of context -- a problem most organizations don't address in communications or security policies. Plenty of internal communications warrant investigation and discipline -- harassment, for example. But what about an email between two security analysts that says, "Our security sucks!"? Everyone has one of those days, and most employees occasionally vent to trusted colleagues. But any message sent over corporate channels is subject to subpoena, and when it comes to the SEC, those are serious words to utter.

"There were jokes in the deficit, there were casual conversations over Teams with our workers," Brown said -- communications he would never have thought twice about -- until now, because the SEC also considered these jokes to be collusion.

Learning from the past

Brown said he believes the SEC was using the SolarWinds breach as a lesson for other organizations.

"Where I give the SEC a little bit of grace -- one day we'll figure out whether it's true -- is I believe that they were looking for a case that would be public enough, that would be able to put CISOs on notice, put security teams on notice, and put executive teams and boards on notice that security is important and you should be talking about security more within the exec team, within the board -- or else you're being negligent," Brown said. "They can't create laws, but they can create precedents by enforcement."

A lesson Brown wants people to take from his experience is that while no CISO or organization wants to limit what its employees say, within reason, under many regulations they have the right to, especially when those communications occur using company property.

"I never saw it said, 'Be aware that the language you're using inside a message could be looked at in a critical way,'" Brown said. "We didn't stress the idea of discovery and email being used against you or Teams being used against you."

Brown and his RSAC co-presenter Ira Winkler, CISO and vice president at exposure management platform vendor CYE, shared the following advice to help CISOs and their organizations put controls in place to address this lesson:

  • Put it in a policy. Create documents outlining appropriate conduct and communication. Get approval from the CEO down. Define penalties for noncompliance.
  • Have an enforcement policy and enforce it. Enforce the policy justly across all employees.
  • Educate users about the policies. Ensure employees understand the policy. Include what the policy entails and how it is enforced. For example, explain the discovery process, including email tracing and scraping.
  • Adhere to regulations. Follow the appropriate and required industry, national and international regulations, as well as privacy laws, data security laws and data retention laws.
  • Encourage self-reporting. Create anonymous reporting capabilities for internal and external communications channels.
  • Implement monitoring for internal channels. Implement just-in-time training and monitor all possible channels, including email and collaboration platforms.

Organizations should prioritize conversations about communications, interpretations and context, Brown said, and ensure all employees are informed and understand the situation clearly.

"If you're not thinking about it, you don't want to be the next Tim Brown -- no offense," Winkler said.

Sharon Shea is executive editor of TechTarget Security.

Dig Deeper on Security operations and management