CISOs Beware: SEC’s SolarWinds Action Shows They’re Scapegoating Us
I’m stressed.
Any chief information security officer (CISO) who’s paying attention should be stressed, in light of the Securities and Exchange Commission’s (SEC’s) decision to charge SolarWinds and former CISO Timothy G. Brown in a 68-page complaint. The SEC is alleging that the company and its then security head defrauded investors and customers through “misstatements, omissions, and schemes that concealed both the company’s poor cybersecurity practices and its heightened — and increasing — cybersecurity risks.”
It’s not an isolated incident — and it certainly won’t be the last — where a CISO faces accountability for their organization’s security posture. The first example of this trend was the case of Joe Sullivan, the former CISO of Uber and the first corporate executive to be found guilty of crimes related to a data breach by outsiders. In October 2022, Sullivan was convicted on federal charges of covering up two separate hacks of Uber’s databases — one in 2014 and another in 2016. In May 2023, Sullivan was sentenced to three years of probation: a light sentence that acknowledged his steps to keep stolen customer data from being exposed.
In March 2023, the SEC proposed a number of changes to cybersecurity oversight, including notification periods about breaches and incidents. Everyone has to comply: Breach notification is now a matter of hours — the rule requires notification to the SEC within four days of discovering that a significant cybersecurity incident is material — instead of months.
Missed Opportunity: The SEC Failed to Require CISOs on the Board
Beyond a four-day breach notification requirement, the SEC was also pushing to require that all SEC-regulated corporations be prepared to demonstrate security representation on their board.
Given a wave of pushback, the requirement was subsequently dropped. I find that regrettable. The SEC had been trying to create accountability by holding a board accountable and liable for issues concerning cybersecurity incidents that inevitably occur from time to time.
But now, in the case of SolarWinds, the SEC has turned around and directly gone after somebody who’s only now the CISO. Brown wasn’t the CISO when the breaches happened. He had been SolarWinds’ VP of security and architecture and head of its information security group between July 2017 and December 2020, and he stepped into the role of CISO in January 2021.
The result of the SEC’s failure to mandate security leadership on corporate boards is that they’ve resorted to holding the CISO liable. This shift underscores a significant transformation in the CISO landscape.
From my perspective as a CISO, it’s increasingly clear that technical security expertise is an essential requirement for the role. Each day, CISOs are tasked with making critical decisions, such as approving or accepting timeline adjustments for security risks that have the potential to be exploited. Without a deep understanding of the technical intricacies involved, a CISO risks ending up in a situation similar to Timothy Brown’s: namely, becoming the scapegoat and facing legal repercussions. Specifically, the federal complaint seeks “permanent injunctive relief, disgorgement with prejudgment interest, civil penalties, and an officer and director bar” against Brown.
CISOs Must Act Now to Protect Themselves
What’s evident is that CISOs need to take proactive steps to protect themselves from the rising threat of lawsuits. There are several strategies they can consider, including:
- Requiring that they be included in their organization’s directors and officers (D&O) insurance policy. This would provide a layer of legal protection in case their decisions are questioned.
- CISOs should demand direct access to the board of directors, which would enable their concerns and recommendations to be heard at the highest level of the organization.
- They should also insist on a seat at the executive table where strategic decisions are made. This position allows them to align security with the business’s goals and ensure that security isn’t an afterthought but rather an integral part of the organization’s strategy.
- In addition, CISOs should work to include specific severance packages in their employment contracts. These packages can serve as a safety net, offering financial protection in case they face dismissal or legal consequences for security incidents beyond their control.
In a rapidly evolving cybersecurity landscape, it’s crucial for CISOs to take proactive measures to safeguard their careers and mitigate the risks associated with their roles. By integrating these protective measures into their positions, they can better navigate the complex and often high-stakes world of cybersecurity leadership.
Read More HERE