November 4, 2023 at 12:30PM
The US Securities and Exchange Commission (SEC) has charged SolarWinds and its chief information security officer (CISO), Timothy Brown, for allegedly misleading investors about cybersecurity practices and risks before the disclosure of a major hacker attack. The SEC claims that SolarWinds’ filings misled investors while Brown knew of specific cybersecurity problems. The charges have implications for CISOs across the industry, with professionals calling for increased accountability, transparency, and support for the role.
The meeting notes discuss the charges brought against SolarWinds and its chief information security officer (CISO) by the US Securities and Exchange Commission (SEC). The SEC alleges that SolarWinds misled investors about cybersecurity practices and risks leading up to the disclosure of a major hacker attack. The complaint accuses the CISO of being aware of cybersecurity risks but failing to resolve them. The charges have caused concern among CISOs in the industry and have led to discussions about the implications for the role and recommendations to avoid a similar situation. The feedback from industry professionals includes the following key points:
– Igor Volovich of Qmulos suggests that the issue may be more about the divorced nature of cybersecurity from corporate risk and compliance functions. He believes that the people responsible for regulatory filings may not have fully understood the significance of the reported security issues.
– Petri Kuivala of Hoxhunt emphasizes the difficulty of the CISO role in conveying truthful messages to decision makers without overwhelming them with technical details. He believes that CISOs should be prepared and accountable for their decisions.
– Agnidipta Sarkar of ColorTokens expresses concern that the charges could negatively impact the CISO role and deter qualified individuals from taking on the position. He suggests that new job descriptions for CISOs may include warnings about the potential risks involved.
– Francesco Trama of PacketViper argues that the SEC’s actions may discourage individuals from becoming CISOs, which could lead to preventable cybersecurity incidents. He calls for boards and CEOs to be educated about cybersecurity and held accountable for failures.
– George Jones of Critical Start believes that the charges could make CISOs more cautious about providing inaccurate or incomplete information. He suggests that CISOs should raise significant risks to the CEO and board of directors for awareness and make sure they are recorded in the company’s risk register.
– Dave Stapleton of ProcessUnity hopes that the case will lead to a shift in security behaviors and greater transparency in disclosing cybersecurity risks. He calls on CISOs to demand more support from their organizations.
– Jeff Pollard of Forrester sees the SEC’s actions as endorsing CISOs to stop being quiet about security flaws. He believes that putting a spotlight on cybersecurity flaws is now necessary to avoid personal legal jeopardy. He emphasizes the importance of tech leaders taking cybersecurity issues seriously and escalating them appropriately.
Overall, the feedback highlights the potential impact of the SEC charges on the CISO role and the need for greater accountability and transparency in cybersecurity practices.