The Securities and Exchange Commission (SEC) has alleged that SolarWinds concealed cybersecurity defense issues before a December 2020 attack linked to APT29, the Russian Foreign Intelligence Service (SVR) hacking division. Hackers found a way to insert malware into a version of the company's Orion IT monitoring application, allowing Russian operatives to gain a foothold in high-value targets. They used the access to deploy additional malware to compromise internal and cloud-based systems and steal sensitive information over several months. The SEC claims that its CISO Timothy G. Brown was aware of the cyber security risks and poor practices, but SolarWinds failed to notify its investors. Instead, the company reportedly disclosed only broad and theoretical risks to its investors.
SEC says a Solar Winds Internal Document that the engineering teams could no longer keep up with a long list of new security issues they had to address.SolarWinds has denied the SEC's charges and says it deliberately chose to speak candidly and frequently about security by sharing what it learned to help others become more secure. This lawsuit marks the first time the SEC has held a CISO personally accountable for cybersecurity failures. The charges will reignite concerns among CISOs about the liabilities associated with the role.
CISO/Security Leaders Dilemma - The general viewpoint is the CISO is responsible for all the security issues. Still, in practice, CISOs often need more power and authority to get things issues fixed. In most organizations, the CISO will report to the CLO, CTO, or CRO, which is counterproductive. The CISO should report directly to the CEO and the board of directors' cybersecurity committee to be effective. It's well-known in the industry that the CISO does not get the same Compensation indemnity as the other benefits that the other leaders, like the CEO or CPO, get. The reality is that without any significant incidents, business leaders often see information security as a cost center.
In most cases, the CISO and the Security Leadership team are aware of significant security gaps. The critical issue is that the business leadership does not prioritize the security issues as it's not revenue-generating efforts. Vulnerability Management, Bug Bounty, Appsec, Pentest, Red team, and CSIRT Teams detect many security gaps quickly. Still, they often hear that the sheer volume of security issues being identified is much higher than the capacity of Engineering teams to resolve them. Often, project managers deprioritize the security issues over the new features. To Solve this, Leaders should implement a couple of following things: