Game changing cybersecurity for CISOs

Chilly winds have swept through the organizations’ offices as the US Securities and Exchange Commission (SEC) filed charges against SolarWinds Corporation and its Chief Information Security Officer (CISO).

With one simple allegation, the lives of CISOs everywhere have changed (even if they may not know it yet) as the consequences begin to mount in what may become a redefinition of the CISO role.

This is the second time in recent memory that a CISO has been charged with a crime allegedly committed in the course of his duties. The fallout from the SolarWinds breach and subsequent SEC charges against the corporation and its CISO brought a key question into focus: what does this mean for cloud-native security and CISO accountability in today’s environment?

With input from some other CISOs, we try to understand what this means for CISOs today and in the future.

The SolarWinds breach, discovered in late 2020, was a unique cyberattack that attacked the software supply chain, resulting in a compromised SolarWinds Orion software update.

This tainted update was distributed to SolarWinds clients, including several government agencies and corporations. It gave hackers access to a wide range of sensitive data, leading to a massive security crisis.

Recent SEC charges against SolarWinds Corporation and its CISO revolve around allegations of inadequate cybersecurity protocols and failure to provide critical information to investors in a timely manner.

These charges underscore the importance of maintaining robust cybersecurity measures and the need for transparency in the wake of a security incident.

The SolarWinds breach and subsequent charges caused a significant shift in how enterprises perceive and approach cloud-native security, specifically how they mitigate attacks on the software supply chain.

One major consequence of this attack revealed an urgent need for increased security measures in the software supply chain. This attack showed how an attacker could introduce malware into an update provided by a software vendor and compromise elements in trusted IT management software deployed by bypassing existing security measures.

Specifically, companies and CISOs are now reevaluating their security postures and implementing tighter protocols to protect against supply chain attacks and strengthening cloud infrastructure. This means more emphasis on scanning, continuous monitoring and zero-trust security strategies.

The incident also sparked conversations about the responsibility and accountability of CISOs in ensuring the security of their organizations. CISOs are now faced with a mandate to not only strengthen existing security measures, but also ensure rapid and transparent communication in the event of a breach.

CISOs are at the forefront of departments communicating directly with potential threats while maintaining a critical mandate to protect corporate data, employees and customers at all costs. Orientation in this complex environment now means taking on the burden of personal responsibility in addition to ensuring organizational security.

Jim Routh, board member, advisor and investor and former CSO/CISO, shared his thoughts:

“The reality is that when we engage in cybersecurity operational practices with threat actors, the clarity of legal responsibility is unclear at best. CISOs lead functions that interact with threat actors through technical proxies and sometimes directly (for example: bug bounty programs) when using services. from security intelligence firms that deal with threat actors on a daily basis. CISOs must navigate this ‘mess’ with guiding principles and now must follow the personal responsibility that comes with it.”

A recent incident has intensified discussions about the responsibility and accountability of CISOs to guarantee the security of their organizations. They are not only tasked with strengthening existing security measures, but are now forced to enforce rapid and transparent communication after a breach.

As a result, Jim also points to a number of new areas to consider during the CISO negotiation process before an offer is made and compensation terms are settled. Also pointing to the recent Uber verdict, he recommends that CISOs determine whether they are considered a company officer:

  • Be aware of what level of indemnity coverage is offered (attorneys’ fees provided to the company’s law firm, dedicated counsel’s fees for the CISO, and fines paid by the business, including convictions.
  • Current regulatory reporting and enforcement policies? (The CISO is usually not responsible for the legal team making the announcement, but that didn’t help Joe). Jim shares more insights on this topic in a recent webinar: The Uber Verdict: The CISO, the Law and the Door!

To further complicate the navigation of information sharing. Jim adds, “The SEC’s recent action against Tim Brown sets a precedent that makes sharing information between regulators and the private sector much more challenging; which is in direct conflict with efforts to improve information sharing between government entities and the private sector, where most critical infrastructure is located.”

Jim Routh quote: The role of the CISO has evolved considerably in the wake of the SolarWinds incident and subsequent SEC charges.
CISOs are now tasked with a more strategic and all-encompassing role that includes not only implementing robust security measures, but also being proactive in assessing and managing risk.

One of the important lessons from this case is the need for transparent reporting. CISOs and company leaders should establish a culture of openness in cybersecurity reporting and avoid false statements that can have serious legal and financial consequences.

In addition, there is a need for organizations to prioritize robust cybersecurity measures, not only for regulatory compliance, but also to proactively defend against known vulnerabilities and emerging threats. Effective risk management and prompt resolution of known vulnerabilities, as well as consistency between internal assessment and external disclosure, are essential.

Aaron Weis, CEO of Google and former CIO in the US Navy, shared his thoughts:

“This decision has significant implications for CISOs moving forward, highlighting the need for increased vigilance, proactive risk management and transparent communication with stakeholders. Fostering a culture of cybersecurity awareness throughout the organization is vital.”

“This ensures that every employee understands their role in maintaining security. Finally, organizations must be prepared for incidents. Given the inevitability of cyber attacks, it is essential to have robust incident response plans in place to minimize damage and enable rapid recovery.”

The SolarWinds incident and subsequent actions taken by the SEC have undeniably reshaped the narrative of cloud-native security and the role of the CISO. The focus has shifted to emphasizing the critical importance of cyber security practices to companies.

Beyond simply complying with regulations, this case underscores the need for organizations to proactively reduce risk and protect their reputation. As key figures in this field, CISOs must take a leadership role in this effort.

Aron Weiss quote: “As the environment continues to evolve, companies are likely to invest more in robust cybersecurity infrastructure and incident response mechanisms. CISOs will be at the forefront of this transformation and will play a key role in steering their organizations toward a more resilient and secure future.”

The SEC’s charges against SolarWinds Corporation and its CISO acted as a wake-up call that prompted a re-evaluation of cybersecurity strategies and CISO responsibilities. Aaron summarizes the results as follows:

  • Increased responsibility for cybersecurity: CISOs need to recognize that their role goes beyond technical implementation to encompass broader aspects of cybersecurity management, including risk assessment, vulnerability management, and incident response preparedness.
  • Strengthened Internal Controls: CISOs should work with senior management and internal audit teams to establish robust internal controls that effectively identify, evaluate and mitigate cybersecurity risks.
  • Transparent risk disclosure: CISOs must ensure that cybersecurity risks and vulnerabilities are accurately communicated to investors and other stakeholders to provide a transparent and realistic picture of the company’s cybersecurity posture.

The incident underscored the critical need for proactive and transparent security measures in the era of cloud-native operations. Enterprises must adapt in the future by strengthening their security protocols and empowering CISOs to lead the charge in strengthening their organization’s cybersecurity resilience.

The fallout from the SolarWinds breach is a pivotal moment that propels us toward a more secure and vigilant future in cloud-native security.