CISOs Beware: SEC's SolarWinds Action Shows They're Scapegoating Us

In a rapidly evolving cybersecurity landscape, CISOs must take proactive measures to safeguard their careers and mitigate risks associated with their roles.

David Lindner, Chief Information Security Officer

November 8, 2023

3 Min Read
Gray people circled around red person, pointing at it: scapegoat
Source: Zoonar GmbH via Alamy Stock Photo

I'm stressed.

Any chief information security officer (CISO) who's paying attention should be stressed, in light of the Securities and Exchange Commission's (SEC's) decision to charge SolarWinds and former CISO Timothy G. Brown in a 68-page complaint. The SEC is alleging that the company and its then security head defrauded investors and customers through "misstatements, omissions, and schemes that concealed both the company's poor cybersecurity practices and its heightened — and increasing — cybersecurity risks."

It's not an isolated incident — and it certainly won't be the last — where a cybersecurity leader faces accountability for their organization's security posture.

In March 2023, the SEC proposed a number of changes to cybersecurity oversight, including notification periods about breaches and incidents. Everyone has to comply: Breach notification is now a matter of hours — the rule requires notification to the SEC within four days of discovering that a significant cybersecurity incident is material — instead of months.

Missed Opportunity: The SEC Failed to Require CISOs on the Board

Beyond a four-day breach notification requirement, the SEC was also pushing to require that all SEC-regulated corporations be prepared to demonstrate security representation on their board.

Given a wave of pushback, the requirement was subsequently dropped. I find that regrettable. The SEC had been trying to create accountability by holding a board accountable and liable for issues concerning cybersecurity incidents that inevitably occur from time to time.

But now, in the case of SolarWinds, the SEC has turned around and directly gone after somebody who's only now the CISO. Brown wasn't the CISO when the breaches happened. He had been SolarWinds' VP of security and architecture and head of its information security group between July 2017 and December 2020, and he stepped into the role of CISO in January 2021.

The result of the SEC's failure to mandate security leadership on corporate boards is that they've resorted to holding the CISO liable. This shift underscores a significant transformation in the CISO landscape.

From my perspective as a CISO, it's increasingly clear that technical security expertise is an essential requirement for the role. Each day, CISOs are tasked with making critical decisions, such as approving or accepting timeline adjustments for security risks that have the potential to be exploited. Without a deep understanding of the technical intricacies involved, a CISO risks ending up in a situation similar to Timothy Brown's: namely, becoming the scapegoat and facing legal repercussions. Specifically, the federal complaint seeks "permanent injunctive relief, disgorgement with prejudgment interest, civil penalties, and an officer and director bar" against Brown.

CISOs Must Act Now to Protect Themselves

What's evident is that CISOs need to take proactive steps to protect themselves from the rising threat of lawsuits. There are several strategies they can consider, including:

  1. Requiring that they be included in their organization's directors and officers (D&O) insurance policy. This would provide a layer of legal protection in case their decisions are questioned.

  2. CISOs should demand direct access to the board of directors, which would enable their concerns and recommendations to be heard at the highest level of the organization.

  3. They should also insist on a seat at the executive table where strategic decisions are made. This position allows them to align security with the business's goals and ensure that security isn't an afterthought but rather an integral part of the organization's strategy.

  4. In addition, CISOs should work to include specific severance packages in their employment contracts. These packages can serve as a safety net, offering financial protection in case they face dismissal or legal consequences for security incidents beyond their control.

In a rapidly evolving cybersecurity landscape, it's crucial for CISOs to take proactive measures to safeguard their careers and mitigate the risks associated with their roles. By integrating these protective measures into their positions, they can better navigate the complex and often high-stakes world of cybersecurity leadership.

About the Author(s)

David Lindner

Chief Information Security Officer, Contrast Security

David Lindner is an experienced application security professional with over 20 years in cybersecurity. In addition to serving as the chief information security officer, David leads the Contrast Labs team that is focused on analyzing threat intelligence to help enterprise clients develop more proactive approaches to their application security programs. Throughout his career, David has worked within multiple disciplines in the security field — from application development, to network architecture design and support, to IT security and consulting, to security training, to application security. Over the past decade, David has specialized in all things related to mobile applications and securing them. He has worked with many clients across industry sectors, including financial, government, automobile, healthcare, and retail. David is an active participant in numerous bug bounty programs.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights