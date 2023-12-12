There's no question that a career as a top security leader is rewarding and something to aspire to. But before you consider taking that career path, there are some lessons to be learned from a recent case that shows just how tough a job it can be. You've gotten the education, paid your dues and you're ready to tackle the role of CSO or CISO, to make the big decisions and determine how security will be a key part of your firm and what it does.

Before you start down this road, or even if you are continuing down this road, there are some lessons that can be learned from the trial of the Securities and Exchange Commission (SEC) versus SolarWinds and its CISO Timothy Brown. It's an important case and one that demonstrates potential severe repercussions for CISOs and has even caused some to reconsider the role. How would you have handled the situation if you were in charge?

The SEC has accused Brown of misleading investors by not disclosing "known risks" and not accurately representing the company’s cybersecurity measures during and before the 2020 Sunburst cyberattack that affected thousands of customers in government agencies and companies globally. “SolarWinds violated reporting and internal controls provisions of the Exchange Act; and Brown aided and abetted the company’s violations,” the SEC said in a press release.

Risk management and disclosure are key complaints by the SEC

The claimed failures, including not abiding by the statements that the company made on its website regarding their patterns and practices for developing their software as well as password policies internal to the company. The SEC complains in its filings that the company did not disclose cybersecurity risks independently from other risks, given SolarWinds' role and industry (it sells a network and applications monitoring platform called Orion), nor pay extra risk attention to targeted attacks and the disclosure needs surrounding them.

The SEC found internal emails in which the CISO indicated that the company was not abiding by its public security development lifecycle statement. When communication indicated that improvement was needed internally, there was no communication in the SEC filing that these actions were being worked on. When others in the network security team were indicating deficiencies in network access and VPN protocols, it appears that actions were not appropriately taken.

There were emails, internal messages, and text messages documenting internal knowledge that customers were at risk using the software as well as increasing evidence that attackers knew of the situation as well. However, during this time no disclosures were made to the SEC or even to customers at risk.