Bear in mind again in March after we suggested CISOs to lawyer up? Yeah, we had been proper.

Yesterday’s SEC indictment of SolarWinds CISO Timothy G. Brown sends a chilling message to all CISOs, and rightfully so. We’ve parsed it and highlighted beneath an important elements of the grievance to assist CISOs perceive precisely what this implies for them and its implications.

The Time Body

One of many key themes of the grievance is that SolarWinds preliminary public providing occurred in 2018, on the time it’s believed the SUNBURST assault occurred, persisting by way of 2020. As a part of its IPO course of and subsequent monetary disclosures, SolarWinds made quite a few statements about its cybersecurity posture and preparedness. The SEC alleges these statements are false based mostly partially on the cyberattack itself and inside statements from SolarWinds staff that the corporate confronted quite a few safety challenges.

Inner Shows As Proof

A number of inside shows disagreed with the data included in disclosures and monetary studies. These studies, based on the SEC, did not precisely disclose the precise state of cybersecurity posture inside SolarWinds. For instance, engineers shared that SolarWinds didn’t have the capability to detect distant entry exercise. None of those representations made it into any necessary monetary studies from the SEC relating to SolarWinds safety posture and the chance that represented to buyers.

Failure To Escalate Equals Fraud

This portion is by far the most important aspect of the SEC’s grievance in opposition to Brown that CISOs ought to concentrate on. The SEC’s Oct. 30 press launch states:

“The SEC’s grievance alleges that Brown was conscious of SolarWinds’ cybersecurity dangers and vulnerabilities however did not resolve the problems or, at occasions, sufficiently elevate them additional inside the firm.”

Be aware that we added the emphasis right here on the portion in daring. A CISO can’t safe an organization alone. And a key a part of the SEC’s grievance highlights this challenge by alleging that Brown did not adequately elevate these points internally, opting as a substitute to attenuate them in public disclosures ,thereby defrauding buyers.

This complete episode is scary for safety leaders … but when there’s a silver lining to be discovered … it’s right here. That is the SEC endorsing CISOs to cease being quiet about safety flaws. Placing a highlight on evident cybersecurity flaws is not the nuclear choice, per the SEC. It’s relatively the way in which for CISOs to keep away from discovering themselves in private authorized jeopardy for not elevating these flaws loudly sufficient internally.

Is The SEC Scapegoating CISOs?

It definitely appears that method from the skin trying in. And far of figuring out whether or not that is true hinges on the above info. Did Brown adequately elevate these points — and the severity — internally to different SolarWinds executives? If he did this in a method that different CISOs really feel represents how they might do the identical, then it ought to frighten every one among them. If he raised them however failed to steer different leaders about their significance, that can also be scary. But when he hid them or downplayed them from different executives that could be a totally different story and one which CISOs ought to think about earlier than questioning whether or not they need to run — not stroll — away from their present or future gigs.

Takeaways For Different C-Ranges

Ignoring cybersecurity and failing to safe what you promote just isn’t an choice for publicly-traded corporations. To this point, we solely have the SEC’s facet of occasions. However different tech leaders ought to pay particular consideration to this authorized motion, notably particulars of Brown’s protection. As a result of, if we discover that Brown did fail to escalate these points and buried them, it appears horrible for him.

However this must also concern different C-levels and tech leaders like CIOs and CTOs particularly. As a result of tech leaders that work with cybersecurity leaders that escalate flaws solely to have them ignored, deprioritized, or uncared for might discover themselves the subsequent particular person charged by the SEC.

—

Forrester purchasers with questions ought to request a steerage session or inquiry with me or my colleague and coauthor Jess Burn to debate intimately.

Meet Us At Safety & Threat Discussion board 2023

Take a look at the agenda for our upcoming Safety & Threat Discussion board, going down November 14–15 in Washington, D.C. We’ll have 25 classes led by Forrester analysts, together with Jess and me, who can be obtainable for one-on-one conferences throughout the occasion, as effectively.