CISOs Beware: SEC's SolarWinds Action Shows They're Scapegoating Us

I'm stressed.

Any chief information security officer (CISO) who's paying attention should be stressed, in light of the Securities and Exchange Commission's (SEC's) decision to charge SolarWinds and former CISO Timothy G. Brown in a 68-page complaint. The SEC is alleging that the company and its then security head defrauded investors and customers through "misstatements, omissions, and schemes that concealed both the company's poor cybersecurity practices and its heightened — and increasing — cybersecurity risks."

It's not an isolated incident — and it certainly won't be the last — where a cybersecurity leader faces accountability for their organization's security posture.

In March 2023, the SEC proposed a number of changes to cybersecurity oversight, including notification periods about breaches and incidents. Everyone has to comply: Breach notification is now a matter of hours — the rule requires notification to the SEC within four days of discovering that a significant cybersecurity incident is material — instead of months.

Missed Opportunity: The SEC Failed to Require CISOs on the Board

Beyond a four-day breach notification requirement, the SEC was also pushing to require that all SEC-regulated corporations be prepared to demonstrate security representation on their board.

Given a wave of pushback, the requirement was subsequently dropped. I find that regrettable. The SEC had been trying to create accountability by holding a board accountable and liable for issues concerning cybersecurity incidents that inevitably occur from time to time.

But now, in the case of SolarWinds, the SEC has turned around and directly gone after somebody who's only now the CISO. Brown wasn't the CISO when the breaches happened. He had been SolarWinds' VP of security and architecture and head of its information security group between July 2017 and December 2020, and he stepped into the role of CISO in January 2021.

The result of the SEC's failure to mandate security leadership on corporate boards is that they've resorted to holding the CISO liable. This shift underscores a significant transformation in the CISO landscape.

From my perspective as a CISO, it's increasingly clear that technical security expertise is an essential requirement for the role. Each day, CISOs are tasked with making critical decisions, such as approving or accepting timeline adjustments for security risks that have the potential to be exploited. Without a deep understanding of the technical intricacies involved, a CISO risks ending up in a situation similar to Timothy Brown's: namely, becoming the scapegoat and facing legal repercussions. Specifically, the federal complaint seeks "permanent injunctive relief, disgorgement with prejudgment interest, civil penalties, and an officer and director bar" against Brown.

CISOs Must Act Now to Protect Themselves

What's evident is that CISOs need to take proactive steps to protect themselves from the rising threat of lawsuits. There are several strategies they can consider, including:

In a rapidly evolving cybersecurity landscape, it's crucial for CISOs to take proactive measures to safeguard their careers and mitigate the risks associated with their roles. By integrating these protective measures into their positions, they can better navigate the complex and often high-stakes world of cybersecurity leadership.