A notable component of the recent U.S. Securities and Exchange Commission (SEC) charges against SolarWinds Corp. for “fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities” was that the only person specifically charged at the organization was the CISO – especially considering that initial reporting indicated that both the CFO and CISO were being investigated.

What does this mean for CISOs? Especially coming on the heels of the SEC’s July 2023 adoption of stricter rules related to material cybersecurity incident disclosure, this is a strong message that the SEC is moving toward holding executives more accountable for cybersecurity incidents.

What happened?

As has been comprehensively reported, in the SolarWinds breach, malicious actors injected stealthy malware into a pre-production version of the company’s Orion product, which was used by roughly 18,000 customers, including the federal government.

Two years later, various cyber reports and internal assessments have indicated that poor cybersecurity practices and internal controls opened the door for “major reputation and financial loss.” On top of that, SolarWinds “defrauded investors by overstating SolarWinds’ cybersecurity practices and understating or failing to disclose known risks,” the SEC statement says.

“We’re so far from being a security-minded company,” concluded a subordinate of SolarWinds’ CISO, Timothy Brown, per the SEC. This singular statement speaks a significant truth about the lack of disclosure of the many known security flaws, lax protection of critical assets, and violation in accurately reporting the so-called “SUNBURST” cyberattack back in December 2020.

Should CISOs be worried?

CISOs have a significant responsibility to oversee and manage the cyber and IT risks impacting their organization, particularly their critical assets and data. As cyber attacks and incidents continue to increase, maintaining a robust and holistic cybersecurity program must include the buy-in and support of their board of directors and other C-suite champions. CISOs and their supporting partners should focus their efforts on the following.

• Build a transparent relationship with the board. The CISO and the board are “in the same life raft.” It has become a fundamental skill for CISOs to speak the same business language when communicating cyber impacts, thus creating a common goal of rowing in the same direction. Also, board members must become more cyber-savvy to better understand the cyber implications to the organization and allow cyber to be a business enabler.
• Lobby the board to provide the CISO with more authority to meet increased demands. CISOs must have flexibility and autonomy over their program – including having their own budget line. The ability to freely plan and implement new tools and resources provides a more agile path to managing the ever-changing cyber landscape.
• Maintain compliant disclosure of cyber risk management to the board, individuals, or a committee that oversees cyber risks. As more regulations begin to mandate discussing the true security posture and accurate materiality weaknesses with board members, it is the CISO’s job to start these conversations. They should establish a trusting relationship with the board and create a safe space to openly discuss the known security issues in the environment and agree on solutions.
• Conduct comprehensive cyber risk assessments. You can only protect what you know. One way to know what cyber risks the organization is facing is by conducting frequent risk assessments. CISOs must have a good handle on identifying and analyzing their risks, and these assessments are the first step in that process. CISOs understand that cyber is a journey, and it starts with knowing the baseline of their security controls and then identifying their future state.
• Remember: Like the adage goes, “Not if, but when.” Cyber resiliency must be front and center for an organization to remain viable. CISOs must spearhead business continuity (BC), disaster recovery (DR), and incident response (IR) activities and reviews on an annual basis, which includes reviewing plans, training, and road testing their procedures via tabletop exercises. Just like fire drills, BC/DR/IR procedures should become second nature and not create additional anxiety for the team.
• Maintain not just good but excellent cyber hygiene. There are countless “fundamental factors” for good cyber hygiene: Encryption of data, use of VPNs, proper configuration of firewalls, updated anti-malware and intrusion-prevention software, rigorous password requirements, and so on. However, cyber hygiene is not a “set it and forget it” activity. CISOs must stay vigilant and regularly implement additional hygiene activities, such as enforcing multifactor authentication for all users across all IT assets; managing, monitoring, and appropriately issuing privileged access to all IT assets; and avoiding “analysis paralysis” by fine-tuning security tools to generate accurate alerts for their team to immediately act on.

You are not alone; we are here to help.

Managing a cybersecurity program is a demanding and full-time job, and CISOs are not able to actively be involved in all aspects. In fact, CISOs often experience burnout due to the high demand and added pressure.

However, working with CohnReznick’s team can help alleviate many of the pain points and bottlenecks experienced day-to-day. We can be part of your cyber journey – while still providing an independent view – by conducting risk assessments, enhancing organizational policies and procedures, leading tabletop exercises of resiliency plans, and providing trusted advice when reporting valuable information to board members.

Reach out to learn more and get started.