DEFENSESTORM BLOG
Wednesday, November 29th, 2023
Cyber risk Insights from the desk of DefenseStorm’s Chief Information Security Officer, William Wetherill.
When I first learned about the SEC’s lawsuit against the SolarWinds CISO (Chief Information Security Officer), it resonated with me deeply. It serves as a stark reminder that cyber risk accountability is of the utmost importance in our line of work. In the lengthy complaint against SolarWinds and current CISO, Timothy G. Brown, it is alleged that SolarWinds “defrauded investors and customers through misstatements, omissions, and schemes that concealed both the Company’s poor cybersecurity practices and its heightened— and increasing— cyber risks. SolarWinds’ public statements about its cybersecurity practices and risks painted a starkly different picture from internal discussions and assessments about the company’s cybersecurity policy violations, vulnerabilities, and cyberattacks.”
It is tough to know from this incident if the discrepancy between public reporting and internal knowledge was solely the fault of the CISO or if there were other internal pressures that contributed to the imbalance and, in the worst case, caused them to compromise their ethical standards to preserve their position. As CISOs, we are responsible for protecting our organizations’ digital assets and must be held accountable for our actions or inactions in managing cyber risk. However, the CISO role does not always naturally align with other executives, such as CEOs and CFOs, as many executives still see security as a cost center rather than an investment in the company’s resiliency. This creates pressure on CISOs to downplay or accept risks, which can now lead to personal risk for the CISO themselves.
Transparency and honesty should be core values for any CISO, and the recent lawsuit against the SolarWinds CISO reinforces the critical importance of these values. CISOs cannot afford to conceal critical information about cybersecurity incidents, which can lead to misleading statements and, ultimately, legal repercussions. Building a culture of trust within organizations, where information about cyber risks is shared openly without fear, is essential, but a CISO cannot be both responsible for breaches and powerless to enact protections against them.
In order to enhance and empower CISOs to foster a more resilient cybersecurity environment, it’s imperative to distribute liability across the executive team rather than placing the sole burden on the CISO. This shift towards shared responsibility acknowledges that cybersecurity is a collective effort. Other pathways toward effective change should also allow a CISO to:
CISOs are already under substantial pressure, so they must be given the authority, necessary resources, and support to protect their organizations effectively. Without the authority to address issues and enact meaningful changes, CISOs are limited in their capacity to strengthen cybersecurity defenses and are just yelling into the void. A seat at the table without the ability to sanction significant changes is now in danger of being perceived as providing risk transference. The modern CISO is more than just a person who will take the brunt of the impact and shield the organization in case of a breach.
By empowering CISOs with the tools, authority, and support they need, organizations can create a culture of security that not only safeguards against threats but also protects the careers and well-being of their dedicated security leaders.