The U.S. Securities and Exchange Commission (SEC) has charged SolarWinds and its chief information security officer (CISO) for allegedly misleading investors about cybersecurity practices and risks in the two years leading up to its disclosure of a significant hacker attack.
The SEC’s complaint alleges that SolarWinds’ filings between its October 2018 IPO and its disclosure of the breach misled investors by only mentioning “generic and hypothetical risks”, while CISO Timothy Brown allegedly knew of specific cybersecurity problems and “increasingly elevated risks”.
The charges have sent shockwaves through the cybersecurity industry, with CISOs across the board reevaluating their roles and responsibilities.
Industry leaders have commented on the implications of the SEC charges for CISOs and organizations, and shared recommendations on how they can avoid ending up in a similar situation.
Igor Volovich, VP of Compliance Strategy at Qmulos, highlighted the importance of aligning cybersecurity with corporate risk, compliance, and regulatory functions. Petri Kuivala, Chief Information Security Officer Advisor at Hoxhunt, stressed the importance of CISOs being able to convey truthful messages to decision makers without confusing them with the technical details.
Agnidipta Sarkar, Vice President CISO Advisory at ColorTokens, expressed concern that the SEC charges could damage the reputation of the CISO role and make it more difficult to attract and retain qualified candidates.
The sources for this piece include an article in SecurityWeek.
