Not too long ago, we read extensively about Uber hving a breach. It didn't go well with Uber, as they were seen to cover up the matter in guise of a bug bounty program. The senior management and Board took a settlement, while the CISO Joe Sullivan was found guilty and charged. I wrote extensively about the Uber CISO issue here.
Winds of Legal?
Solarwinds isn't ground breaking at this point of time, but what's happening after is becoming ground breaking.
In an unusual move, the SEC is looking at holding Solarwinds employees, including the CISO accountable for the breach.
This was made known when the SEC put the executives on notice that it may pursue legal actions for violations of federal laws. The 2020 breach is cited as the reason. The scope of the notice covers both current and former employees. List of employees include Chief Financial Officer and Chief Information Security Officer who has received the Wells Notices from SEC, based on the SEC filing.
Wells Notice
The Wells Notices given to these individuals inform them that SEC has made preliminary determination for SEC to file civil enforcement action under the provisions of US federal securities law.
Wells Notice is neither a formal charge of any wrongdoings nor a final determination that the recipient has violated any laws. It's more of putting the individual on notice to say something may happen, legally of course.
So what can happen? In this instance the person(s) involved can be barred from being in the industry. Simplified, can't be employed.
How now CISO?
The cascading impact to fellow CISOs are hard hitting.
Jamil Farshchi, Equifax CISO in his Linkedin post mentioned that this move by SEC is unprecedented. The usual recipients of Wells Notice is CEO and CFO, and this is the first that the CISO is served. According to Farshchi, its most likely due to a requirement to disclose material fact which involves the requirements to "disclose gravity of an incident, or failing to do so in timely manner". The spotlight now, is falling on the CISO more than before.
Not too long ago, I got myself into a debate about ethics and doing the right thing. There were 2 sides to the discussion. One being pro corporate while the other is doing the right thing. Looking at both Uber and Solarwinds now, its clearer which pro-corporate choice may ensure your salary, but put you into deeper trouble in the long run.
Collective Responsibility
The lack of collective responsibility is glaring and its something that globally will be a talking point in conferences to come. Solely pointing fingers at the CISO for security failure when in some organizations have clear demarcation between lines of defense may cause delination of responsibility. Imagine your neck on the chopping block when you have no control over what Security Operations does?
There seems to be a trend (at least in Asia) where CISOs hired lack even cybersecurity knoweldge. While certification is looked at the bare minimum requirements, a glaring lack of working experience even puts one on the CISO rank, even in large organization. Is this a future defense strategy for organizations to shift blame to individuals? A short sighted approach? Or just some department making quick wins by hiring someone for the job for pennies to save a few pounds?
Reference
[1] Ramasamy, Dr. S. (2023, May 8). Uber CISO convicted. LinkedIn. https://www.linkedin.com/pulse/uber-ciso-convicted-ramasamy-cissp-cism-gcti-gnfa-gcda-cipm
[2] House, T. (2023). FACT SHEET: Biden-Harris Administration Announces National Cybersecurity Strategy | The White House. Retrieved 30 June 2023, from https://www.whitehouse.gov/briefing-room/statements-releases/2023/03/02/fact-sheet-biden-harris-administration-announces-national-cybersecurity-strategy/
[3] SEC notice to SolarWinds CISO and CFO roils cybersecurity industry. (2023). Retrieved 3 July 2023, from https://www.csoonline.com/article/643618/sec-notice-to-solarwinds-ciso-and-cfo-roils-cybersecurity-industry.html
[4] SEC Filing - https://d18rn0p25nwr6d.cloudfront.net/CIK-0001739942/02aed9ff-6065-4158-8efd-6b5e31f7eb89.pdf
[5] Jamil Farshchi on LinkedIn: #technology #cybersecurity #riskmanagement | 97 comments. (2023). Retrieved 3 July 2023, from https://www.linkedin.com/posts/jamilfarshchi_technology-cybersecurity-riskmanagement-activity-7079075622831984640-5F7G/