CISOs beware: SEC’s SolarWinds action shows they’re scapegoating us

I’m stressed.

Any chief information security officer (CISO) who’s paying attention should be stressed, in light of the Securities and Exchange Commission’s (SEC’s) decision to charge SolarWinds and former CISO Timothy G. Brown in a 68-page complaint. The SEC is alleging that the company and its then security head defrauded investors and customers through “misstatements, omissions, and schemes that concealed both the company’s poor cybersecurity practices and its heightened — and increasing — cybersecurity risks.”

It’s not an isolated incident — and it certainly won’t be the last — where a cybersecurity leader faces accountability for their organization’s security posture.

In March 2023, the SEC proposed a number of changes to cybersecurity oversight, including notification periods about breaches and incidents. Everyone has to comply: Breach notification is now a matter of hours — the rule requires notification to the SEC within four days of discovering that a significant cybersecurity incident is material — instead of months.

Missed Opportunity: The SEC Failed to Require CISOs on the Board

Beyond a four-day breach notification requirement, the SEC was also pushing to require that all SEC-regulated corporations be prepared to demonstrate security representation on their board.

Given a wave of pushback, the requirement was subsequently dropped. I find that regrettable. The SEC had been trying to create accountability by holding a board accountable and liable for issues concerning cybersecurity incidents that inevitably occur from time to time.

But now, in the case of SolarWinds, the SEC has turned around and directly gone after somebody who’s only now the CISO. Brown wasn’t the CISO when the breaches happened. He had been SolarWinds’ VP of security and architecture and head of its information security group between July 2017 and December 2020, and he stepped into the role of CISO in January 2021.

The result of the SEC’s failure to mandate security leadership on corporate boards is that they’ve resorted to holding the CISO liable. This shift underscores a significant transformation in the CISO landscape.

To read the complete article, visit Dark Reading.