The recent news of the Securities and Exchange Commission (SEC) charging SolarWinds’ Chief Information Security Officer (CISO), Timothy Brown, with fraud has sent shockwaves through the cybersecurity community. The allegations of misleading investors about the company’s cybersecurity practices and failing to disclose known risks have serious implications for CISOs across industries. Beyond the inherent benefits of building and proving cyber capabilities, this incident underscores the importance of CISOs having robust evidence of their teams’ cyber capabilities to prove cyber resilience and avoid SEC fines.
The SEC’s complaint against Timothy Brown focuses on violations of antifraud provisions of the Securities Act of 1933 and the Securities Exchange Act of 1934. The charges allege that Brown overstated SolarWinds’ cybersecurity practices and failed to disclose known risks, leading to misleading information for investors. The SEC seeks various penalties, including permanent injunctive relief, disgorgement with prejudgment interest, civil penalties, and an officer and director bar against Brown.
This case will have far-reaching consequences for cyber leaders everywhere.
The need for evidence of cyber capabilities
In the wake of the SolarWinds incident, CISOs must recognize the importance of providing evidence of cyber resilience, across individuals, teams, and the entire workforce. This evidence can help CISOs prove due diligence to the Board and regulators and maintain the trust of investors.
Here are a few key reasons why evidence of cyber capabilities is crucial:
Building trust with investors
Investors rely on accurate and transparent information to make informed decisions. By providing evidence of robust cybersecurity practices and risk management, CISOs can build trust with investors. This evidence can include documentation of security controls, incident response plans, penetration testing results, and employee training records.
Meeting regulatory requirements
Regulatory bodies, including the SEC, are increasingly focused on cybersecurity and expect organizations to have effective controls in place. CISOs must ensure their teams comply with relevant regulations and provide evidence of their compliance efforts. This includes demonstrating adherence to frameworks such as NIST Cybersecurity Framework or ISO 27001.
Proactive risk management
CISOs need to demonstrate that they have a proactive approach to risk management. This includes evidence of regular vulnerability assessments, threat intelligence monitoring, and proactive incident response planning. By showcasing their teams’ ability to identify and mitigate risks, CISOs can demonstrate their commitment to cyber resilience.
Continuous improvement
Evidence of ongoing improvement is essential to demonstrate that cybersecurity practices are not stagnant. CISOs should provide evidence of regular security assessments, training programs, and updates to policies and procedures. This demonstrates a commitment to staying ahead of emerging threats and adapting to changing cybersecurity landscapes.
Tested incident response capabilities
In the event of a cyber incident, CISOs must be able to demonstrate their teams’ incident response capabilities. This includes evidence of incident response plans, tabletop exercises, and post-incident analysis. By showcasing their ability to effectively respond to and recover from incidents, CISOs can instill confidence in leadership.
The SolarWinds incident and the subsequent SEC charges against its CISO highlight the need for CISOs and other cyber leaders to have robust evidence of their teams’ cyber capabilities. By providing this evidence, CISOs can demonstrate cyber resilience, build trust with investors, and avoid potential fines.
It is crucial for CISOs to prioritize continuous exercising across the workforce, and data to prove cyber capabilities. By doing so, CISOs can navigate the evolving cybersecurity landscape and ensure their organizations are well-prepared to mitigate cyber risks.
To learn more about evidencing organizational cybersecurity, read about the Immersive Labs Resilience Score.
