The SolarWinds lawsuit and why CISO role just got harder

The role of Chief Information Security Officer is a tough one.

 Not only are CISOs ultimately responsible for an organisation’s cyber resilience and must report directly to shareholders and regulators regarding highly complex, often fluid situations when it comes to active and potential threats, but they also tend to be undervalued and underpaid.

CISOs across the world are now also concerned about the legal implications that come with the role following news the U.S. Securities and Exchange Commission (SEC) has filed a lawsuit against the Chief Information Security Officer of SolarWinds. 

The lawsuit alleges SolarWinds CISO Timothy Brown failed to disclose vital information about the significant cyberattack on the company’s software supply chain back in 2020.

It’s one of the first times a regulatory body has gone after a CISO for allegedly mismanaging cyber risks – the suit goes so far as to suggest Brown was aware of vulnerabilities in systems but did not adequately raise these to the company’s investors, resulting in misleading statements in its filings with the SEC. 

Unsurprisingly, this has caused mixed opinions among the wider cybersecurity community and especially among CISOs. My feeling is that the lawsuit adds yet more pressure to a role that is already squeezed and, in most cases, underpaid. It also opens up questions about how CISOs should operate moving forward.

Let me explain by way of example. Take threat hunting and vulnerability scanning, either automated or carried out by an analyst. Does this now mean that if a company discovers a weakness, the CISO is duty-bound to tell shareholders? The reality is that at any time there will be many vulnerabilities or gaps in cyber maturity, and these must be managed and overcome in priority order.

The factors that determine the order of priority are manyfold and include timeliness, risk appetite and tolerance levels, return on security investment calculations and decisions to transfer or accept risk through insurance or resilience measures. These are just some of the considerations and this is why it is such a complex area that non-security specialists are likely to understand. 

If indeed CISOs are now expected to report all weaknesses to the board and/or shareholders, those that do not have a deep understanding of cybersecurity and cyber risk will be easily and unnecessarily spooked, and this will have other, negative consequences for the business.

It also raises questions about the line between what is notified and what is trusted to be checked by specialist audits. 

Another example of how the SolarWinds lawsuit could impact the CISO role is in the questions they face from shareholders, regulators and the press, and the answers they provide. Answers must be provided to these parties, and they must not be deceitful or misleading. But to what level does the answer need to reach?

Would an answer to the effect “trust me, we are good on this” suffice? Or would it need to be “we have been audited on this and we are good”? Or would it need to be incredibly detailed? Moving forward, I believe that these answers will now be preceded by “we are looking into this and will advise shortly” but again this just adds more pressure to the CISO role. 

Ripples from the impact of the lawsuit will also be felt by talented security individuals looking to map their career paths through the space. Is CISO really a position they want to hold given the pressures of the role, the legal exposure individuals can face and its relatively low pay? Probably not.

But this means talented, skilled security professionals will move away from the front line, and this just hands the advantage back to hackers and criminals.

The SolarWinds lawsuit is a seismic event in the cyber security world and is one that will continue to split opinions and stir chatter and debate. But no matter which way you look at it, the role of Chief Information Security Officer just got a lot tougher.