The recent news of the Securities and Exchange Commission (SEC) charging SolarWinds CISO Timothy Brown with fraud has sent shockwaves through the cybersecurity community. The allegations of misleading investors about the company's cybersecurity practices and failing to disclose known risks have serious implications for CISOs across industries. Beyond the inherent benefits of building and proving cyber capabilities, this incident underscores the importance of CISOs having robust evidence of their team’s cyber capabilities to prove cyber resilience and avoid SEC fines.
The SEC's complaint against the SolarWinds CISO focuses on violations of antifraud provisions of the Securities Act of 1933 and the Securities Exchange Act of 1934. The charges allege that Brown overstated the company’s cybersecurity practices and failed to disclose known risks, leading to misleading information for investors. The SEC seeks various penalties, including permanent injunctive relief, disgorgement with prejudgment interest, civil penalties, and an officer and director bar against Brown. We can expect that this case will have far-reaching consequences for cyber leaders everywhere.
The need for proving cyber capabilities
In the wake of the SolarWinds incident, CISOs must recognize the importance of delivering evidence of cyber resilience, across individuals, teams, and the entire workforce. This evidence can help CISOs prove due diligence to the board and regulators and maintain the trust of investors.
Here are five reasons why it’s crucial for CISOs to have the ability to prove evidence of cyber resilience:
- Build trust with investors: Investors rely on accurate and transparent information to make informed decisions. By proving evidence of robust cybersecurity practices and risk management, CISOs can build trust with investors. This evidence can include documentation of security controls, incident response plans, penetration testing results, and employee training records.
- Meet regulatory requirements: Regulatory bodies, including the SEC, are increasingly focused on cybersecurity and expect organizations to have effective controls in place. CISOs must ensure their teams comply with relevant regulations and offer evidence of their compliance efforts. This includes demonstrating adherence to frameworks such as the NIST Cybersecurity Framework or ISO 27001.
- Develop proactive risk management: CISOs need to demonstrate that they have a proactive approach to risk management. This includes evidence of regular vulnerability assessments, threat intelligence monitoring, and proactive incident response planning. By showcasing their teams' ability to identify and mitigate risks, CISOs can demonstrate their commitment to cyber resilience.
- Foster continuous improvement: Evidence of ongoing improvement is essential to demonstrate that cybersecurity practices are not stagnant. CISOs should offer evidence of regular security assessments, training programs, and updates to policies and procedures. This demonstrates a commitment to staying ahead of emerging threats and adapting to changing cybersecurity landscapes.
- Test incident response capabilities: In the event of a cyber incident, CISOs must demonstrate the incident response capabilities of their teams. This includes evidence of incident response plans, tabletop exercises, and post-incident analysis. By showcasing their ability to effectively respond to and recover from incidents, CISOs can instill confidence in leadership.
In the wake of these charges, we'll see CISOs and senior leaders put a greater focus on understanding the cyber-readiness of their workforce, and ensuring they have the right data to demonstrate capabilities. By showing this evidence, CISOs can demonstrate cyber resilience, build trust with investors, and avoid potential fines. It’s crucial for CISOs to prioritize continuous exercising across the workforce, and data to prove cyber capabilities. By doing so, CISOs can navigate the evolving cybersecurity landscape and ensure their organizations are well-prepared to mitigate cyber risks.
Max Vetter, vice president of cyber, Immersive Labs