The SolarWinds compromise of 2020 had a global impact and garnered the resources of both public and private sectors in an all-hands-on-deck remediation effort. The event also had a deleterious effect on the SolarWinds stock price. These two events, were, predictably, followed by a bevy of civil lawsuits. Fast forward to late March 2022 and we have a federal court saying the suit that named SolarWinds; its vice president of security and CISO, Tim Brown; as well as two prime investor groups Silver Lake and Thoma Bravo may go forward.As Violet Sullivan, cybersecurity and privacy attorney of client engagement at Redpoint Cybersecurity, observes, the judge finds that the plaintiffs \u201cmay have a claim, so the judge is going to hear it.\u201d She explains, \u201cIt\u2019s not what is being said in the order that is interesting. It\u2019s what will be shown during the discovery process that is interesting. There will be questions in this suit including: Will the forensic reports be available during the discovery or covered by attorney-client privilege?\u201dKey question: Did SolarWinds cut corners on security?The judge\u2019s decision served to highlight what every CISO dreads, the cutting of corners by personnel in the basic implementation of cybersecurity 101. Password management carries a price. SolarWinds is adamant that the infamous password \u201csolarwinds123\u201d that a security researcher found in November 2019 on an \u201cupdate server\u201d was changed within the hour of being notified and isn\u2019t related to the Russian breach of SolarWinds. However, Sullivan opines, the \u201cpassword issue on the update server is \u2026 just an entry point.\u201dThe judge decided \u201cthe allegations of underlying security issues (such as the \u2018solarwinds123\u2019 password breach)\u201d need not suggest that these security issues directly caused the loss. Instead, their purpose is to demonstrate that the executives were at least reckless in not realizing that something was dangerously amiss. \u201cAn egregious refusal to investigate may give rise to an inference of recklessness.\u201d[Editor's note: A SolarWinds spokesperson responded to this story with this statement:\u00a0\u201cWe disagree strongly with the claims made by the plaintiff and look forward to having the opportunity to present the true facts as this process continues beyond its current very early stage.\u201d]Indeed, the one-off violation associated with the \u201cupdate server\u201d is not unique to any one company. Shortcuts are taken, and policies exist to diminish the likelihood of incidents such as this. That said, former employees, described in the judge\u2019s decision as \u201ca sales engineer, a security specialist, a backup and disaster recovery specialist, a director of global recruiting, an HR contractor, a security account manager, and a marketing associate\u201d all alleged the lack of such cybersecurity policies.While the civil lawsuit will continue its course, there are several important takeaways for CISOs.Personnel need to follow policy and procedures To the company\u2019s credit, they published a \u201csecurity statement,\u201d which described the seriousness of cybersecurity policies and procedures. Whether this was window dressing or reality is what the suit will determine, as the plaintiffs allege the marketing and public relations statements made by SolarWinds on its website, including video statements from the CISO, projected a mature cybersecurity culture within SolarWinds that did not exist.CISOs should ensure business or operations are the drivers of the policies and procedures being followed by their personnel with the CISOs team in information security supporting the business. This requires business operations to ensure alignment between what the company is saying publicly and what it is doing internally.Sullivan notes as the case moves forward, \u201cWhat other exhibits will be referenced to show negligence on behalf of SolarWinds? What can you imagine as a CISO that might be used against you to show that you are just a compliance \u2018check the box\u2019 place, or do you really care about security (reasonableness standard)?\u201dMaintain a register to track and manage risksMatt Georgy, CTO of Redacted, Inc., observes, \u201cWhat makes Solar Winds\u2019 exploitation particularly bothersome is the fact that it\u2019s used to manage\/monitor IT systems.\u201d Core to a risk management program is the risk register wherein risks to business operations are tracked and managed, he continues. This includes risks associated with reliance on commercial software applications and open-source software.\u00a0Document cybersecurity trainingIt is noteworthy that this mixed bag of employees and contractors allege that they \u201cwere not aware of an information security policy or a password policy, and they did not receive cybersecurity training.\u201d The need for documentation cannot be overstated. Being able to trot out evidence that not only was training provided, but the employee provided attestation the training was received and assimilated, silences allegations of lack of training quickly.Assign mission-critical tasks according to risk"Organizations need to reconsider how they assign mission-critical business tasks by risk ranking activities,\u201d says Matthew Rogers, global CISO at Syntax. \u201cIt is not always about the work being done that should be assessed when tasks are being assigned. Instead, businesses today must consider the gravity of the error that could happen if work is performed improperly and be overly cautious when identifying ownership of these types of assignments. It\u2019s worth paying more for experience and quality for simple work that could cost you everything if done wrong."\u201cAt the end of the day, the buck stops with the CISO,\u201d says Justin Wray, director of innovation security at CoreBTS. \u201cSecurity is not a one-person show,\u201d and the CISO is supported by a team of experts engaged in the technical activities of cybersecurity.Have a long-term security plan, but be prepared to pivotWray makes an observation, which I posit all CISOs would embrace, \u201cIt is vital to note that while a high-level, long-term plan is important to a secure IT roadmap, life happens and no one is completely safe from a breach. The security world is changing every day and in the event of a breach, such as SolarWinds, a CISO needs to know how to pivot. Security control and implementation, meaning leveraging day-to-day resources to monitor tools and updates, is the foundation of a solid security posture. Organizations that remain stagnant because everything looks fine on the outside are not properly setting up their organization for success when a breach ultimately occurs.\u201dSimilarly, given the dynamic nature of every business, policies and procedures should and must be easily accessible and updated regularly. Updates are driven by the change in business direction, risk identification, and mitigation all of which are owned by the business operations group, again with the support of the CISO and the infosec team.Resource cybersecurity according to riskCISOs are uniquely positioned to provide insight on the threat landscape to business operations and together create the appropriate risk management plan. I recently mentioned how cybersecurity is often something companies get around to. The SolarWinds cyberattack and the resultant civil lawsuits are demonstrating the need for the well-documented investment in cybersecurity must be at the forefront.The managing director of NetSPI, Nabil Hannan, says, \u201cInternal threats are still a lingering and often under-addressed cybersecurity threat within organizations, especially when compared to the resources applied toward external threats. But, with buy-in from an organization's leadership team, CISOs can have the resources needed to develop a proactive and ongoing threat detection governance program.\u201dThose who hesitate may find themselves playing catch up as they are spurred along by the new U.S. Securities and Exchange Commission initiative on the need for publicly sharing information security breach information within four days of discovery that the breach is material will affect direct change. Similarly, the SEC\u2019s desire to have companies describe how they address cybersecurity will drive greater transparency within many companies. This SEC effort will pull infosec out of the back room and to the forefront, like policies, procedures, resourcing, and expertise will be on full display via the required SEC filings.