SEC FIles a LAWSUIT against SolarWinds CISO

The Securities and Exchange Commission (SEC) has alleged that SolarWinds concealed cybersecurity defense issues before a December 2020 attack linked to APT29, the Russian Foreign Intelligence Service (SVR) hacking division. Hackers found a way to insert malware into a version of the company's Orion IT monitoring application, allowing Russian operatives to gain a foothold in high-value targets. They used the access to deploy additional malware to compromise internal and cloud-based systems and steal sensitive information over several months. The SEC claims that its CISO Timothy G. Brown was aware of the cyber security risks and poor practices, but SolarWinds failed to notify its investors. Instead, the company reportedly disclosed only broad and theoretical risks to its investors. 
​
SEC says a Solar Winds Internal Document that the engineering teams could no longer keep up with a long list of new security issues they had to address.SolarWinds has denied the SEC's charges and says it deliberately chose to speak candidly and frequently about security by sharing what it learned to help others become more secure. This lawsuit marks the first time the SEC has held a CISO personally accountable for cybersecurity failures. The charges will reignite concerns among CISOs about the liabilities associated with the role.
Source

​CISO/Security Leaders Dilemma - The general viewpoint is the CISO is responsible for all the security issues. Still, in practice, CISOs often need more power and authority to get things issues fixed.  In most organizations, the CISO will report to the CLO, CTO, or CRO, which is counterproductive.  The CISO should report directly to the CEO and the board of directors' cybersecurity committee to be effective. It's well-known in the industry that the CISO does not get the same Compensation indemnity as the other benefits that the other leaders, like the CEO or CPO, get.  The reality is that without any significant incidents, business leaders often see information security as a cost center.

In most cases, the CISO and the Security Leadership team are aware of significant security gaps. The critical issue is that the business leadership does not prioritize the security issues as it's not revenue-generating efforts. Vulnerability Management, Bug Bounty, Appsec, Pentest, Red team, and CSIRT Teams detect many security gaps quickly. Still, they often hear that the sheer volume of security issues being identified is much higher than the capacity of Engineering teams to resolve them. Often, project managers deprioritize the security issues over the new features. To Solve this, Leaders should implement a couple of following things:

• Risk Management Program - All the identified risks should be documented in the risk register and managed actively. Security Team should only *accept* the risk if the likelihood of exploitation is low. A good measure of the security program is also the number of risks accepted by the leaders. There should be a committee with the stakeholders from all the different departments/units in an organization. Accepted risk should have a timeline, taken only after a detailed discussion and documentation. Every risk should have a timeline to fix it. 
• Security Architecture Program - All new app/feature/tool development work should undergo a detailed threat modeling process in the design phase. All the identified risks should be mitigated before moving to the development phase. 
• Data Driven Security -Security Issues, Bugs, and Vulnerability should be measured weekly, and insights should be regularly shared with the executive team.
• Red Team - Most security leaders will not consider starting a red team earlier in the security programs. In reality, the Red team is often the most effective team to find the security issues in the company. The red team should be given enough freedom & support to operate and emulate adversary behaviors.