DEFENSESTORM BLOG

CISO on Cyber Risk: Embracing Accountability and Transparency in the Wake of the SolarWinds Lawsuit

Wednesday, November 29th, 2023

VIEW ALL INSIGHTS

DefenseStorm

Insights from the desk of Chief Information Security Officer, William Wetherill

When I first learned about the SEC’s lawsuit against the SolarWinds CISO (Chief Information Security Officer), it resonated with me deeply. It serves as a stark reminder that accountability is of the utmost importance in our line of work. In the lengthy complaint against SolarWinds and current CISO, Timothy G. Brown, it is alleged that SolarWinds “defrauded investors and customers through misstatements, omissions, and schemes that concealed both the Company’s poor cybersecurity practices and its heightened— and increasing—cybersecurity risks. SolarWinds’ public statements about its cybersecurity practices and risks painted a starkly different picture from internal discussions and assessments about the Company’s cybersecurity policy violations, vulnerabilities, and cyberattacks.”

It is tough to know from this incident if the discrepancy between public reporting and internal knowledge was solely the fault of the CISO or if there were other internal pressures that contributed to the imbalance and, in the worst case, caused them to compromise their ethical standards to preserve their position. As CISOs, we are responsible for protecting our organizations’ digital assets and must be held accountable for our actions or inactions in managing cybersecurity risks. However, the CISO role does not always naturally align with other executives, such as CEOs and CFOs, as many executives still see security as a cost center rather than an investment in the company’s resiliency. This creates pressure on CISOs to downplay or accept risks, which can now lead to personal risk for the CISO themselves.

Transparency and honesty should be core values for any CISO, and the recent lawsuit against the SolarWinds CISO reinforces the critical importance of these values. CISOs cannot afford to conceal critical information about cybersecurity incidents, which can lead to misleading statements and, ultimately, legal repercussions. Building a culture of trust within organizations, where information about cyber threats is shared openly without fear, is essential, but a CISO cannot be both responsible for breaches and powerless to enact protections against them.

Empowering Meaningful Change

In order to enhance and empower CISOs to foster a more resilient cybersecurity environment, it’s imperative to distribute liability across the executive team rather than placing the sole burden on the CISO. This shift towards shared responsibility acknowledges that cybersecurity is a collective effort. Other pathways toward effective change should also allow a CISO to:

  • Proactively negotiate for inclusion in Directors’ and Officers’ insurance policies (a crucial step to mitigate personal liability).
  • Be granted the authority to prioritize cybersecurity efforts with the executive team. This means all executives determine and sign off on risk treatment based on the CISO recommendations.
  • Actively collaborate with executive leadership to ensure that security measures are aligned with the organization’s broader business objectives. Security should be considered an intrinsic priority for business success.
  • Work alongside the executive team to develop comprehensive risk management strategies. This includes a clear understanding of acceptable risk thresholds and proactive steps to mitigate risks to an acceptable level.
  • Have direct access to the board of directors, enabling them to communicate security concerns and recommendations at the highest level. This ensures that cybersecurity receives the attention and support it deserves.
  • Implement a shared responsibility model for information security, which involves the CISO working collaboratively with other stakeholders across the organization. In this model, the CISO is responsible for accurately representing the risk environment, identifying potential threats, and leading remediation efforts. The CISO can and should be held liable if they are found to be negligent in their duties.

CISOs are already under substantial pressure, so they must be given the authority, necessary resources, and support to protect their organizations effectively. Without the authority to address issues and enact meaningful changes, CISOs are limited in their capacity to strengthen cybersecurity defenses and are just yelling into the void. A seat at the table without the ability to sanction significant changes is now in danger of being perceived as providing risk transference. The modern CISO is more than just a person who will take the brunt of the impact and shield the organization in case of a breach.

By empowering CISOs with the tools, authority, and support they need, organizations can create a culture of security that not only safeguards against threats but also protects the careers and well-being of their dedicated security leaders.

William

William Wetherill

Chief Information Security Officer

William is a Certified Information Systems Security Professional (CISSP) and Certified Information Security Manager (CISM) with extensive training, background, and experience in various aspects of IT systems and applications. He has over 27 years of IT experience, almost a third of it directly in cybersecurity.  William was previously the Director of Cybersecurity Operations and now is the Chief Information Security Officer at DefenseStorm. William was previously the Chief Information Security Officer at the University of North Carolina in Wilmington (UNCW) where he built and managed their Information Security Program.