SolarWinds, the SEC, and the CISO: Who is legally responsible for security?

What you need to know

 

• The Securities and Exchange Commission is accusing SolarWinds and its CISO of misrepresenting the company’s security situation before and after the 2020 SolarWinds Orion hack.
• The SEC’s action could set a precedent for holding security officers personally liable for security incidents and their consequences.
• The case has sparked a lively debate over who truly owns cybersecurity in organizations, who can be held responsible for breaches, and whether CISOs should have the same legal protections as other top executives.

According to a new complaint filed by the Securities and Exchange Commission (SEC), blame for the 2020 SolarWinds incident, which exposed many government agencies and Fortune 500 organizations to state-sponsored infiltration, rests on the shoulders not only of the company itself but also its Chief Information Security Officer (CISO), Timothy Brown. The SEC’s lawsuit alleges that SolarWinds and Brown failed to disclose critical weaknesses that led to the breach of its network monitoring software Orion, ultimately leading to an estimated 18,000 SolarWinds customers unwittingly installing compromised software. 

In the civil complaint, the SEC alleges that SolarWinds misled investors when it disclosed hypothetical risks and inaccurate data about how many Orion customers were impacted. Alongside the organization itself, it specifically calls out Brown for his alleged role in fraud and control failures. The complaint states that all of this occurred “at a time when the company and Brown knew of specific deficiencies in SolarWinds’ cybersecurity practices as well as the increasingly elevated risks the company faced at the same time.” 

In a statement from the SEC, these allegations suggest that Brown acted negligently when he failed to resolve security issues or raise them to the right teams within the organization. In a response shared with the media, SolarWinds not-so-subtly accused the SEC of overreaching in a way that should “…alarm all public companies and committed cybersecurity professionals across the country.” 

With this news ricocheting through the industry, some are questioning whether or not the SEC is overstepping boundaries by painting a target on Brown’s back. While fellow security leaders brace for impact to all CISO roles in the US, some voices suggest that holding CISOs accountable for security failures could be a way to finally highlight the importance of security. 

Is pointing the finger at a security scapegoat risky?

The debate over regulatory overreach is prompting concerns that placing responsibility on one person might cast a negative light on critical security roles and make them less appealing to professionals. Should the ruling be in the SEC’s favor, it could set the precedent of security leaders taking the legal fall in the aftermath of a major system compromise or data breach. It will undoubtedly fuel deeper discussions about how we get leadership – including the board – aligned about cybersecurity to prioritize best practices and make meaningful security investments. And at a time when there’s an overwhelming skill shortage in cybersecurity, scaring away potential talent by deprioritizing security or forcing one person to own security entirely is not a recipe for success. 

“Security ownership cannot sit on the shoulders of one role or person,” explains Frank Catucci, Invicti’s Chief Technology Officer and Head of Security Research. “That is especially true if they do not have the authority or power to make the necessary decisions and take action to protect company assets. Where does responsibility factor in for the board of directors and the CEO if they have the ultimate decision about security or the final power of action? Scapegoats may provide a convenient distraction to camouflage and divert responsibility, but the underlying problem remains. Liability for security is holistic and needs to be formally and legally accepted as such.”

Before placing the onus squarely on a CISO as a scapegoat for security failings, organizations need to step back and look at the bigger picture of their processes, best practices, and chain of command. Various roadblocks and silos disrupt security professionals’ workflows every day and can easily contribute to unfortunate scenarios where security fails or is overlooked. For example, if development unilaterally decides to move to an agile process with frequent code changes and deployments, security won’t be able to keep up without an accompanying cultural and organizational shift.

Coupled with these challenges is the fact that developers constantly feel the pressure to innovate fast, even as cybersecurity programs often fall victim to budget cuts as a nice-to-have for more comfortable times. In this light, it shouldn’t come as a shock that critical security steps can be skipped and guidance from leadership sidestepped in the name of business agility. It’s a symptom of a broader issue, and one that requires some serious discussions around responsibility.

Embracing security at every level is the only way to protect an organization

Even as the SolarWinds legal story unfolds, organizations need to reevaluate their entire approach to cybersecurity and look at the problem holistically – including the steps taken to protect employees and the organization itself when things go awry. For example, the current allegations of fraud and internal failures are raising questions and concerns over the liability of software vendors for breaches, and the dire need for insurance to help cover legal bases. Soon, companies may find themselves redefining the role of the CISO altogether, redrawing lines in the sand over who ultimately bears responsibility for security failures. 

If CISOs are to be legally responsible for the security of their entire company, it’s imperative to guarantee they have the influence and power required to embed and enforce security as a ubiquitous part of organization culture. When they get the means to foster security-minded practices that start with the leadership and extend down to every single employee, CISOs will be able to implement more effective security strategies without fear of being sidelined or overruled by business pressures. At the same time, having a clear regulatory environment is a must not only for long-term strategy planning but also for defining the future of the CISO role.

While it’s far too early to say what may have led to Brown and SolarWinds failing to disclose critical information before and after the breach (or even if the SEC’s charges are valid), the whole story is a sobering reminder that there are a multitude of factors that can negatively impact security and contribute to an incident – including failures at the leadership level. Having this awareness is a starting point for work to strike a balance between innovation in development and integrity in security.

In the security industry, we often repeat that security is everyone’s responsibility. The SEC’s current action will, quite literally, put that statement to the test.