News

What does the SEC indictment of SolarWinds mean for security leadership?

Paul Watts, Distinguished Analyst
Published 29 - November - 2023
isf expert opinionsource

Unless you’ve been living on a Desert Island recently, it won’t have escaped your notice that the Securities and Exchange Commission (SEC) in the United States filed a complaint in late October against SolarWinds for the Orion Supply Chain breach in late 2020.

The stand-out feature of this complaint was the explicit naming of their Chief Information Security Officer (CISO), Tim Brown, in the indictment. That sent the cyber security industry – and in particular cyber security leaders – into a frenzy. Was this a watershed moment? What does it mean for the future of security leadership?

I’ve been keeping an eye on this, unsurprisingly. Here’s my take.

 

Is this a game-changer for the security industry?

I think the short answer is “No, not quite yet.”. This is still a sub judice civil case (and the word ‘civil’ is an important word here; it is important to stress that no criminal charges are being brought) and whilst a US class-action suit against SolarWinds was settled in late 2022, no admissions were made as part of that settlement. SolarWinds contest the SEC’s complaint and, arguably more importantly, stand firmly behind their CISO.

 

What have we really learned so far?

Honestly? Nothing new. Not really. Apart from a validation of a long-held position: Your risk and controls really do matter. Your security posture – and any statements you may make about it, publicly or privately – matter. Good incident response matters greatly.

We learned that state sponsored attacks, whilst rare, are certainly a force to be reckoned with if you find yourself in the crosshairs. Some sectors and organisations will be more susceptible, of course, and an organisation such as SolarWinds – essentially a conduit to many indirect potential targets – will be high on any such list.

We can agree that supply chain risk is a clear and present danger, both at third AND fourth-party level. This is something the ISF has been saying for quite some time.

We recognise that being a victim of such an attack does not remove the opportunity for prosecution, although time will tell just how far that goes.

 

What are the unresolved concerns on the table?

The nature of the complaint, and the specific targeting of the CISO, do raise some concerns that could change the landscape for business and cyber security leadership.

Firstly, the challenge of securing the supply chain is something that can no longer be ignored. Particularly the responsibilities for securing and assuring, on both sides of the fence. And within many organisations, how those responsibilities are distilled and discharged are anything but clear.

Secondly, when it comes to liabilities, where does everybody stand now? Both corporate and personal liabilities are in sharp focus here, and if the CISO is to be personally liable going forward, what does this really mean for the role?

Thirdly, what are the implications of inter-company communications regarding cyber security posture, weakness, and opportunity? Could the most BAU of conversations between security teams and their superiors leave them wide open both legally and professionally, and if so, how on earth do we get around that without looking hard at the world of indemnity – or worse, just not talk about it anymore?

And finally, should the regulatory landscape go in the direction of ‘full disclosure, every time’, does that in fact have the opposite effect to keeping corporates honest, and citizens safe – by creating an enormous amount of OSINT for threat actors to feed off, making their attacks more targeted, sharper, more potent, more accurate?

 

What should we be doing about this right now, and how can the ISF help?

The most important thing is to monitor developments closely and start to think about how any related conversations with business leaders will need to be conducted. Steer away from Fear, Uncertainty and Doubt – stick to the facts, and think about the implications through the business’ eyes. The ISF leadership insights paper, Unlocking the business value of security, may be of some use.

Take a good look at the quality of your risk management and control frameworks, and the governance that wraps around those processes. Is there efficiency in the lines of defence that exist? Do your levels of expected and accepted risk align to your control framework? Where are the gaps in reporting line and accountabilities? Our paper, Nurturing Security Governance (available upon request), read in conjunction with your chosen risk management methodology, for example, Information Risk Assessment Methodology 2 ( IRAM2), could provide some useful prompts. Pay particular attention to lines of communication; for example, could the security leader inadvertently become a choke point and expose themselves to personal risk by being the predominant focal point of information flows both up and down the organisation?

Consider the quality assurance processes that wrap around any internal or external communications that refer to the security and risk management position of the organisation. Who signs them off, and how? Is there an effective audit trail?

Thinking specifically about the SEC changes regarding Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, those outside of the US who may be inadvertently influenced by these changes – e.g. subsidiaries with a relationship to a US parent company – should work with their legal counsel to understand the potential implications of this, if any.

As the case progresses, we will continue to monitor the situation. Should you have any thoughts or comments to make regarding this topic, please do feel free to add them below – or contact myself directly.