As winter winds swept across the US this month an even colder wind swept through offices of organizations everywhere, as the SEC brought charges against SolarWinds Corporation and its Chief Information Security Officer (CISO). With one simple indictment the lives of CISOs everywhere changed (even if they may not know it yet) as the consequences of this have started to raise what may become the redefining of the CISO role.
This is the second time in recent memory where a CISO is being charged with a crime allegedly committed in the execution of their duties. The fallout from the SolarWinds breach and subsequent SEC charges against the corporation and its CISO has brought into focus a pivotal question: what does this mean for cloud native security, and the responsibilities of CISOs in today’s landscape?
With input from some other CISOs, together we look to understand what this means for the CISOs today and in the future…
Understanding the SolarWinds Breach and SEC Charges
The SolarWinds breach, discovered in late 2020, was an unparalleled cyberattack that invaded the software supply chain, resulting in a compromised update to the SolarWinds Orion software. This tainted update was distributed to SolarWinds’ clients, including several government agencies and corporations. It allowed hackers access to a wide array of sensitive data, leading to a widespread security crisis.
The recent SEC charges against SolarWinds Corporation and its CISO revolve around allegations of inadequate cybersecurity protocols and failure to disclose critical information to investors in a timely manner. These charges underscore the significance of maintaining robust cybersecurity measures and the necessity of transparency in the aftermath of a security incident.
Impact on Cloud Native Security
The SolarWinds breach and subsequent charges have generated a significant shift in how businesses perceive and approach cloud native security, specifically in how they mitigate software supply chain attacks.
One crucial implication of this attack revealed the pressing need for enhanced security measures in the software supply chain. This attack showed how an attacker can inject malware into an update delivered by a software vendor and compromise elements in trusted IT management software deployed through bypassing existing security measures.
Companies and CISOs specifically are now reevaluating their security postures, implementing more rigorous protocols to safeguard against supply chain attacks and fortify cloud-based infrastructure. This means greater emphasis on scanning, continuous monitoring, and zero-trust security strategies.
Legal Accountability and CISO Responsibility
This incident also spurred conversations around the accountability and responsibility of CISOs in ensuring the security of their organizations. CISOs are now faced with the mandate to not only fortify existing security measures but also to ensure swift and transparent communication in the event of a breach.
CISOs are at the forefront of departments that directly interact with potential threat actors, albeit indirectly, while upholding the critical mandate to protect the company’s data, employees, and customers at all costs. Navigating this complex environment now means shouldering the weight of personal liability in addition to ensuring organizational security.
Jim Routh, Board Member, Advisor & Investor, and Former CSO/CISO shared his thoughts with us:
“There is the reality that when engaging in cybersecurity operational practices with threat actors the clarity of legal accountability is murky at best. CISOs lead functions that engage with threat actors through technical proxies and sometimes directly (for example: bug bounty programs) while using services from security intelligence firms that engage with threat actors daily. CISOs must navigate this ‘murkiness’ using guiding principles while now navigating the personal liability that comes with this.”
The recent incident has amplified discussions on the accountability and responsibility of CISOs in guaranteeing the security of their organizations. They’re not just tasked with bolstering existing security measures but are now compelled to champion swift and transparent communication in the aftermath of a breach.
As a result, Jim also points out the number of new areas that must be considered during a CISO negotiation process before an offer is made and compensation terms are resolved. Pointing also to the recent Uber Verdict, he recommends that CISO’s need to:
- Determine whether they are considered a company officer
- Understand what level of indemnification coverage is offered (attorney fees for a representative from the company’s law firm provided, attorney fees for a dedicated attorney for the CISO, and penalties paid for by the enterprise including upon conviction, and lastly
- The current policy for regulatory and law enforcement notification? (Typically the CISO is not accountable for either the Legal team does the notifying, but this didn’t help Joe). Jim shares more insights on this topic in a recent webinar: Uber Verdict: The CISO, The Law, and The Door!
Lastly, to further complicate navigating information sharing. Jim adds “The recent SEC action against Tim Brown sets a precedent that makes information sharing between regulatory bodies and the private sector much more challenging; a direct contradiction with efforts to improve information sharing between government entities and the private sector, where the majority of critical infrastructure resides.”
Redefining the Role of CISOs
The role of a Chief Information Security Officer has evolved considerably in the wake of the SolarWinds incident and the subsequent SEC charges. CISOs are now tasked with a more strategic and all-encompassing role, encompassing not only the implementation of robust security measures but also being proactive in risk assessment and management.
One significant lesson from this case is the necessity of transparent reporting. CISOs and corporate leaders should establish a culture of openness in cybersecurity reporting, avoiding misrepresentations that can result in severe legal and financial consequences. Additionally, there is a need for organizations to prioritize robust cybersecurity measures, not just to meet regulations but to actively defend against known vulnerabilities and emerging threats. Effective risk management and prompt resolution of known vulnerabilities, as well as alignment between internal assessments and external disclosures, are essential.
Aaron Weis, Managing Director of Google and former CIO at the US Navy, shared his perspectives:
“This decision has significant implications for CISOs moving forward, emphasizing the need for heightened vigilance, proactive risk management, and transparent communication with stakeholders. Furthermore, fostering a culture of cybersecurity awareness throughout the organization is vital. This ensures that every employee understands their role in maintaining security. Finally, organizations must be prepared for incidents. Given the inevitability of cyberattacks, having robust incident response plans in place is essential to minimize damage and enable a swift recovery.”
The Future of Cloud Native Security and CISOs
The SolarWinds incident and the subsequent actions taken by the SEC have undeniably reshaped the narrative around cloud native security and the role of CISOs. The focus has shifted to emphasize the critical importance of cybersecurity practices for companies. Beyond mere regulatory compliance, this case underscores the need for organizations to actively reduce risks and safeguard their reputation. CISOs, as key figures in this landscape, must take a leading role in this effort.
As the landscape continues to evolve, companies will likely invest more in robust cybersecurity infrastructure and incident response mechanisms. CISOs will be at the forefront of this transformation, playing a pivotal role in steering their organizations towards a more resilient and secure future.
The Key Takeaways for CISOs
The SEC charges against SolarWinds Corporation and its CISO have acted as a wake-up call, prompting a reevaluation of cybersecurity strategies and the responsibilities of CISOs. Aaron summarized the takeaways as follows:
- Elevated Cybersecurity Responsibilities: CISOs must recognize that their role extends beyond technical implementation to encompass broader aspects of cybersecurity governance, including risk assessment, vulnerability management, and incident response preparedness.
- Stronger Internal Controls: CISOs should collaborate with senior management and internal audit teams to establish robust internal controls that effectively identify, assess, and mitigate cybersecurity risks.
- Transparent Risk Disclosure: CISOs must ensure that cybersecurity risks and vulnerabilities are accurately disclosed to investors and other stakeholders, providing a transparent and realistic picture of the company’s cybersecurity posture.
The incident has underscored the critical need for proactive and transparent security measures in the era of cloud native operations. Moving forward, businesses must adapt by strengthening their security protocols and empowering CISOs to lead the charge in fortifying their organization’s cybersecurity resilience. The aftermath of the SolarWinds breach is a pivotal moment that propels us toward a more secure and vigilant future in the realm of cloud native security.