SolarWinds this week announced that its vice president of security Tim Brown has taken on the additional title of chief information security officer, as part of the company’s ongoing efforts to institute a secure-by-design posture following the devastating supply chain attack on its Orion IT administration software.
Experts say that hiring a CISO from within under these circumstances can be beneficial to meeting a company’s aggressive security improvement strategy because the executive is already familiar with the inner workings of the business and the incident that took place. However, what’s not entirely clear from this proclamation is how much more of a palpable impact Brown will have beyond what he was already doing in his previous role.
Dan Kennedy, research director, information security and networking at 451 Research, told SC Media that there are “certainly some advantages to having both someone directly involved with the Orion breach investigation as part of what are now the strategic security choices that SolarWinds has to make going forward – and notably elevating a security position to the company’s executive team.”
“In this situation, SolarWinds is working quickly to both make changes in how they secure the way they develop software and propagate patches, and evangelize the messaging around those changes to a customer base that has concerns, having endured a rough end of last year of emergency patch management and threat hunting,” Kennedy continued. “Having someone who is empowered to act strategically, who is already up to speed on both the internal environment and the specific issues – and to be sure there’s some complexity involved here in securing the development operations of a network/infrastructure management tool company – means he won’t have to lean on anyone for that information or have a ramp up time.”
This is not to say that there are no advantages to bringing in a fresh face with new perspectives. Jamil Farshchi, who cleaned up a data breach at Home Depot, was tapped by Equifax as CISO after its own breach.
“And it doesn’t have to be the same industry vertical – many experiences in security translate across verticals – but there’s a learning curve involved in figuring out the nuances of different types of companies,” said Kennedy. “Sometimes an outsider has a grace period, where that person has some latitude to make changes based on the perception of the expertise they bring in and a clean slate in terms of organizational politics.”
However, said Malcolm Harkins, chief security and trust officer at Cymatic, if the company already “had a capable person internally, who was just held back from doing what was needed to be done before, you will hit the ground faster with [that] internal hire who knows the company, knows what’s wrong, and its possible they knew what to fix but were ignored previously.”
Still, the question remains: As CISO, will Brown be able to influence security policy in ways he wasn’t as VP of security?
“Hard to say. This could be just a PR move” on the part of SolarWinds, said Harkins. “The real question is whether or not it’s a title change or a scope/role change.” That won't be clear “until you see some real changes, if they ever share them externally.”
For instance, Harkins has held multiple titles at various organizations, including director of information security, vice president, and CISO, but “my score didn’t change, nor my responsibilities. Only my paycheck.”
In a press release, Austin, Texas-based SolarWinds notes that Brown has “25 years of experience developing and implementing security technology” and “holds 18 issued patents on security-related topics.” It also says he’ll be responsible for security compliance, internal audits, IT operations, risk measurement and remediation efforts, and the promotion of the company’s Secure by Design initiative.
Not clear however is how many of those responsibilities he already had prior to the promotion. (SC Media reached out to SolarWinds for an interview with Brown.) But it would make sense if he yielded even greater influence moving forward, as his new CISO title suggests.
Indeed, being a CISO carries with it a certain weight.
“To be a CISO/CSO, I have said… you need to be Z-shaped: a breadth of biz acumen, a breadth of tech acumen and the hash to make the ‘z’ is the depth of risk/security knowledge,” said Harkins. “Surrounding all that needs to be a level of leadership, integrity, independence."
CISOs need to manage the internal battlefield of budgets, he added, as well as bureaucracy, so the team can manage and mitigate the external battlefield of the threat actors.
Kennedy noted that the SolarWinds press release specifically said Brown was added to the company’s executive team. “I’m hoping that translates to security having a seat at the table in terms of strategic decision-making, something many security executives struggle to attain in their enterprises, that unfortunately deprioritizes information security concerns,” he said.
Still, one aspect of SolarWinds’ announcement gives Kennedy pause: “Every time that I hear a company of a certain scale is ‘creating a CISO position’, I have to wonder why it wasn’t there before?”
SolarWinds also named Rohini Kasturi its chief product officer and Andrea Web its chief customer officer. “The newly appointed executive roles reinforce the company’s commitment to customer experience and success, security, and product innovations to support an increasingly hybrid IT world,” the company press release states.