SolarWinds and the SEC.
Rick Howard: Hey, everybody. We're back. [ Music ] Welcome to Season 14 of the CSO Perspectives Podcast. I know it's been a while since you've heard from me. Long story short, N2K took on an InfoSec project that not only consumed me and my role as the CSO for the past year, but the entire executive staff. Well, that project is finally over. At some point, I'm going to dedicate an entire episode to what we did, but if you find me in a bar at one of the upcoming cybersecurity conferences and ply me with beer, I'll tell you the entire sordid story. In the meantime, though, it's been nine months since the last CSO Perspectives Podcast, and we need to change that. [ Music ] Rest assured that the interns have not been idle. They've scrubbed down the sanctum sanctorum so that it is so spick and span that they can see themselves in the Chrome paneling. Hey, hey, hey. We're not done yet. Have you finished the sub-basement? Get back down there. No celebrations until we are completely done. COMPUTER-GENERATED VOICE #1. For this first show in Season 14, we're going to talk about SolarWinds and the SEC fraud charges against their CISO, Tim Brown, because I have a burr up my saddle about what the SEC did there, and I need to get it off my chest. So before I mix any more metaphors, hold onto your butts. COMPUTER-GENERATED VOICE #2. This is going to be fun. [ Music ] My name is Rick Howard and I'm broadcasting from the N2K CyberWire's secret Sanctum Sanctorum Studios located underwater, somewhere along the Patapsco River near Baltimore Harbor, Maryland in the good old US of A, and you're listening to CSO Perspectives, my podcast about the ideas, strategies, and technologies that senior security executives wrestle with on a daily basis. [ Music ] When the United States Securities and Exchange Commission, the SEC charged the SolarWinds CISO, Tim Brown with fraud in October, 2023 in the aftermath of the SolarWinds, very public breach in 2021, I was outraged. How could they reach into the SolarWinds organization, passed the board, passed the executive staff, the CEO and the CFO specifically, and charge a guy who wasn't even the CISO at the time of the breach. SolarWinds gave Tim the CISO title after they disclosed the compromise. I've been a CISO three times now and I know the game. The CISO title is nothing more than that. A title. You might as well call me the Grand-poohbah of Cybersecurity and it would have the same power. It's something you put on your business cards or your LinkedIn profile to show that you're important. If you have it, it doesn't mean you're a company officer or board director, or even on the executive staff. I mean, some of us have those things, but most of us don't. Typically, the title is a vanity plate that companies give security leaders to keep them happy and to show the world they're serious about cybersecurity. If they're lucky, public company CISOs might get asked for their input into the quarterly financial statement, the Form 10-Q in regards to potential material cyber risk. Most times though, CISOs are not even in the same zip code when company leaders discuss the subject. Don't get me wrong, I love the CISO job, but I'm just realistic about what it really means. That's why I was so angry about the SEC charges. They took the least powerful leader in the company. A guy who in no way makes official public statements, a guy who doesn't have enough resources to do all the things that should be done and is constantly told to do more with less, make that guy the example of what not to do, and ignore all the company leaders that do have the power. The mind boggles and I've been fuming about it ever since. But I will say the community is divided about this. I've talked to a lot of CISOs on this topic and I would say, I think that the SEC was completely right. Tim was in charge of security after all they say whether he had the CISO title or not, the positive things he was saying on the company blog, and when he spoke at conferences about how good the SolarWinds InfoSec program was, didn't match what he and his people were saying internally. Internally, things sounded bad. So when the Russian SVR hacking crew came knocking and found the SolarWinds InfoSec program wanting, the SolarWinds stock price took a major nose dive, investors became angry, and somebody has to protect the investors, right? Enter the SEC. Let's charge the CISO who wasn't the CISO at the time with fraud. Yes, that makes sense. COMPUTER-GENERATED VOICE #3. But I'm willing to entertain the idea that I might be wrong about how crazy this sounds. This show is me trying to determine if my outrage is justified. So let me set the stage. [ Music ] In December, 2020, SolarWinds, a network management company publicly disclosed that they had been the victim of a breach. Today, four years later, we know that SolarWinds was the victim of one of the most technically complex cyber espionage campaigns conducted by the Russian SVR, also known as APT29, also known as Cozy Bear and also known as The Dukes. It was an innovative supply chain attack that allowed the Russians to compromise some very important customers who use the SolarWinds services like the US Department of Defense, the Department of Homeland Security, the Treasury Department, the Intel Corporation, Cisco Palo Alto Networks, Microsoft, and Mandiant, just to name some of the more well known of the 100 total targets. [ Music ] The SVR basically compromised the SolarWinds network, penetrated their software build system, inserted malicious code into the SolarWinds flagship network monitoring product called Orion and let SolarWinds deliver their malicious code for them via their automatic software update mechanism. Two years later, October, 2022, the SEC delivered Wells Notices to the SolarWinds company, the CISO, and the CFO. A Wells Notice is a letter informing recipients that the agency has completed an investigation and is planning to bring enforcement actions against them. In this case, the SEC alleges that SolarWinds, the company and these two employees misled investors in 2021 and before, through multiple public statements about the strength of the SolarWinds InfoSec program, when in fact internal communications showed that leadership and practitioners both knew that they had significant weaknesses. The next year, October, 2023, the SEC filed a civil action against Brown saying that he violated the anti-fraud provisions of the Securities Exchange Act of 1934. Essentially, he, air quotes here, "Schemed on his own to hide the true state of the SolarWinds InfoSec program from investors." Wow, a schemer. I'm reminded of the movie scene with the late great Heath Ledger playing the Joker in "the Dark Knight."
Heath Ledger: The mob has plans. The cops have plans. Gordon's got plans, you know, they're schemers. Schemers trying to control their little worlds. I'm not a schemer. I try to show the schemers how pathetic their attempts to control things really are.
Rick Howard: Now, try to picture Tim Brown as a schemer. That's ludicrous really. Note, they didn't charge the CFO or the CEO, even though they named the CFO in the Wells Notice earlier. Apparently, those two weren't doing any scheming. Just Tim was. [ Music ] From the amended complaint that the SEC filed in February, 2024, here is a summary of the basic facts of the case. In 2017, Tim Brown takes a position with SolarWinds as the VP of security. Again, let me emphasize that he's not the CISO yet. The SEC claims that between 2018 and 2020, a SolarWinds security statement remained publicly posted on its website saying that the internal InfoSec program is overall compliant with the NIST Cybersecurity framework, uses a secure development lifecycle when creating software for customers. Employees network monitoring has strong password protection and maintains good access controls, and they also claim that internal discussions throughout the same period demonstrates that Tim, his staff and company senior leadership, knew that there were problems with the deployment of all those tactics. In 2018, SolarWinds leadership successfully negotiated the company through an initial public offering, an IPO. They went public, but in official documents describing the company before the IPO, leadership only listed a generic and hypothetical cybersecurity risk disclosure. A year before the IPO though Brown had been telling leadership that the "Current state of security leaves us in a very vulnerable state for our critical assets." Fast forward to 2020, the SEC cites evidence that multiple employees, including Brown and other employees not participating in the fraud, exercised their options and sold SolarWinds Stock. Brown received more than $170,000 in gross proceeds. The SEC alleges that the SolarWinds Stock price was inflated by the misstatements omissions and schemes, there's that word again, of Tim Brown's public statements on the webpage and in public speaking engagements. Weirdly, the SolarWinds CEO for the past decade, the man who shepherded the company through the IPO, Kevin Thompson resigned from his position on 7th December and announced his replacement Sudhakar Ramakrishna who didn't officially take over until January. It's weird because five days later, 12th December, the security firm Mandiant had discovered that the SolarWinds network had been compromised and their CEO Kevin Mandia called Thompson to tell him that his company had been hacked. Two days later, 14th December, SolarWinds filed an SEC form 8K report stating in part that the company, "Had been made aware of a cyber-attack that inserted a vulnerability within its Orion monitoring products." In January, 2021, one of the first decisions made by the new CEO Sudhakar Ramakrishna, was to promote Tim Brown to CISO, which by the way is a typical go-to move by organizations and CEOs after experiencing a major breach and discovering that they didn't have a CISO to blame things on. Fast forward another two years, October, 2022, the SEC delivered the Wells Notices. After another year, 26th, July, 2023, in a move that may seem unrelated to the SolarWinds breach, the SEC published their reporting rule, mandating disclosure of material cyber events within five days of discovery. That rule will go into effect at the end of the year. By October, 2023, though, the SEC charged Tim Brown with fraud. Six months later, February, 2024, the SEC amended their initial complaint and expanded the charges. [ Music ] Before we go too much further, it might help to provide a description of how the Russian SVR navigated the SolarWinds intrusion kill chain. Kim Zetter, the famed cybersecurity journalist and cybersecurity Canon Hall of Fame author for her 2014 book about Stuxnet called "Countdown to Zero Day," wrote an excellent blow by blow description in Wired last spring about how the Russian SVR generally equivalent to the American CIA ran their attack campaign. Victim Zero was a SolarWinds VPN account that the SVR compromised on or around 30th January, 2019, a full year before they installed the back door to the Orion software. Somehow, the attackers moved laterally undetected to compromise over a hundred different software code repositories for various products, steal customer data about who used those products and the product code itself. And then they disappeared for three months, presumably to study what they found. When they returned on 12 March, 2019, they recon to find the SolarWinds build environment and then disappeared again for another six months. And just a note here, the SolarWinds build environment was complex. It takes newbie developers months to understand how to legitimately navigate it. But when the SVR returned in September, 2019, they knew exactly what they were doing. They dropped benign test code into the system to see if they would get discovered and monitored leadership email traffic to determine if anybody had suspicions. Five months later, February, 2020, they dropped the back door into the Orion software package. The impact, according to the vice chair of the House Committee on Homeland Security at the time, Congressman Ritchie Torres.
Ritchie Torres: A cyber-attack on a software supply chain is like an infectious disease outbreak spreading widely and rapidly and causing untold damage far and wide. The SolarWinds espionage campaign against the United States, which spread surreptitiously through a software product represents the greatest intrusion into the federal government in the history of the United States.
Rick Howard: And that's saying a lot if you consider the Chinese compromise of the Office of Personnel Management, OPM back in 2014. [ Music ] First, let me just say that I understand what the SEC is trying to do. They want public company investors to have better information about the state of material cyber risk. According to the amended complaint, the SolarWinds stock price dropped 35% during the disclosure month, December, 2020, causing investors pecuniary harm. The SEC wants investors to have better information about material cyber risk so that this kind of thing doesn't happen in the future. I get it, and I like the notion of it. It's why they passed their new disclosure rule back in 2023 mandating the public companies disclose material cyber events within five days of discovery. But in my humble opinion, to make sure the business world takes them seriously with this new disclosure rule, the SEC wanted to set an example. SolarWinds was just a target of opportunity. That in itself doesn't invalidate their claims against SolarWinds, but it helps to keep everything in context. Second, in the amended complaint, the SEC demonstrates their complete lack of understanding of how cybersecurity works in the real world. They don't understand that material cyber risk is a probability, a measure of uncertainty about the state of the InfoSec program, not an on off switch where if you were just compliant with the NIST cybersecurity framework or had strong password protection, no adversary campaign would penetrate your network. That's a ludicrous idea. I've read the same bullets that the SEC called out on the SolarWinds website to many bosses of mine in the past. Yes, we follow the NIST framework. Yes, we have a software development lifecycle. Yes, we monitor the network. Yes, we have strong access controls and yes, we have strong passwords. But I would never have claimed that because of all that, we solved cybersecurity that no bad guy would materially impact the organization. We reduced the chances that they would be successful, but the probability was never zero. Clearly, the financial world and the security world are speaking different languages. [ Music ] Ted Wagner is an old friend of mine and a regular visitor here at the N2K Hash Table. Today, he is the CISO at SAP National Security Services. He and I have been quoting an old boss of ours, Colonel McCarl, for years about this misunderstanding. McCarl used to say that just because we, the good guys do something to counter what some adversary might be doing, that's not the end of the story. The bad guy doesn't crawl off into a fetal position in the corner saying something like, "Well, that's it. The good guys have completely defeated me." No, they get to vote about what the next move is. Here's Ted talking about the role of the CISO.
Ted Wagner: Ideally, his or her job is to ensure that the company is meeting its security requirements and properly mitigating cyber risk, but the adversary gets the vote. It's not binary. There are adversaries exploiting weaknesses throughout the system. Also within a business there's no absolute, just compromises. There's real tension between the functionality development process versus fixing vulnerabilities. Developers are limited resource in a software company. So software consumers assume security, but they look for functionality. It's a hard dilemma. There's always tension, a natural professional tension between building greater functionality and securing the software. And somewhere a compromise is being made. But rarely is it the CISO's job to determine that compromise. You can understand the argument that public statements on the security of a software development process for a publicly traded software company creates a perception for the stockholders of the company that there is security in their software. But in practice, the CISO has limited ability to direct resources within a software development company to fully address all cyber risk.
Rick Howard: My best friend Steve Winterfeld, a seasoned security professional, meaning he's really old, veteran CyberWire Hash Table member and editor to my "First Principles" book told me the other day that of course we're speaking different languages. The finance people have been thinking about accounting principles since the time of the pyramids. Security people have only been around for about 50 years. We still haven't agreed as a community about what we are all trying to do with our InfoSec programs. He was the impetus for us publishing our book on cybersecurity first principles last year. But there's a reason we haven't come to a consensus. It's a really hard problem to get any community to agree on what's important. The finance world struggled with this too.
Steve Winterfeld: Really, more history, Rick?
Rick Howard: The American version of consensus failed at least three times since the Great Depression before it arrived at its generally accepted accounting principles GAAP in 2009, roughly 90 accounting topics. The security world is just beginning to grapple with the problem. The giant disconnect though is that the SEC is looking for the same kind of rigor they get with gap analysis and the security world brings them the NIST framework. That's an impedance mismatch that causes noise in the communications path between the two communities. And this is an idea I got from you, that the accounting people, the finance people, the SEC people, they have a set of rules that they have all agreed on called GAAP, Generally Accepted Accounting Principles. Whereas the security community doesn't have anything. And the closest thing we have to it is a framework or a certification law or some best practice. But there's no bridge between what we think is important and what the finance people think. And we probably need to have it.
Steve Winterfeld: Yeah. And we've needed it for a while. And this is the SEC trying to be a forcing function. I don't know how we get there from here because like you said, the financial industry with the FFIEC, we have the energy with NERC CIP, we have healthcare with HIPAA. All of those have a set of, I'll loosely call them frameworks or checklists. I don't know that those are -- are really making a difference on those industries in what's happening on the cyber, but at least all the banks know they have a common set of requirements to work towards.
Rick Howard: I guess the way forward, I don't know, see what you think about this, is the SEC does something similar in the cybersecurity field. So appoint the commission to come up with the accepted rules that we can all follow.
Steve Winterfeld: There are probably at least eight federal agencies, and that's the very minimum that feel like they own cybersecurity. And I wouldn't have included SEC in that eight before this and they have a very limited scope of publicly traded companies.
Rick Howard: And I agree with that, but they're the ones charging people with fraud in the public company space. So you and I worked on the "First Principles" book. We came up with a way to forecast the probability and material impact. I think that might be the rule. One of the rules that we all agree to that that's what we're reporting to the public. I'm very naive about that. I can't imagine anybody would absolutely tell their stockholders that they have a 25% chance of material impact due to a cyber event. But that's what we could be working towards. And I think the SEC is the organization that could do that.
Steve Winterfeld: And I would love it if, again, we could all agree on a common set of standards, for lack of a better term. And I understand --
Rick Howard: Yeah, it's not standard. I understand we're kind of hitting around the what it is, but we have to bridge how we talk about cybersecurity to how the finance community talks about materiality. And right now it's a big gaping chasm that we have nothing to do that for, but I think it's possible.
Steve Winterfeld: And -- and personally not speaking for Akamai, but personally, I am more worried about companies that are publicly traded than small startups or other things. Because, you know, that's -- that's my wealth. That's my retirement. You know, so I would -- I would love to know that I understand both the financial risk and the cyber risk of a company I've invested in. Absolutely.
Rick Howard: And if you look at some of the stuff we've- we've covered on this podcast and in the book, it's absolutely possible to calculate the outside end probability of material impact just by looking at data that we already have. We know what the likelihood is for a Fortune 500 company that's in the financial sector. We -- we know what that number is. As a minimum, that's what we should be reporting to our stockholders and we could adjust that with better models. Okay. But I think as a minimum, that might be something we do.
Steve Winterfeld: And going back to yours, you know, I don't know if people would say that 25% publicly. Well, if all companies said that, then it would be okay.
Rick Howard: Yeah. It'd have to be, yeah.
Steve Winterfeld: And then, you know, somebody that said 45%, maybe I don't want to invest in them. Somebody that said 10%, maybe I do want to invest in them more than others. So it's more about us all agreeing to the same --
Rick Howard: Yeah, the same generally accepted InfoSec principles. You know, the GAAP that I mentioned in the essay.
Steve Winterfeld: I do love that. We need more acronyms. [ Music ]
Rick Howard: The Tim Brown scheme, when he sold his stock options, I have no idea, but this seems to me to be so unlikely as to be laughable. SolarWinds executed the IPO, the initial public offering, in 2018, a year after Tim joined the company. Two years later, Tim sold some of his stock to the tune of $170,000. Many other SolarWinds employees sold stock at the same time too. So it wasn't like Tim was sneaking out the back door with a suitcase full of money. The SEC seems to be implying that Tim knew that the SolarWinds stock price was highly inflated solely because of his "misstatements omissions in schemes" on the company website that he forecasted the stock price drop because of an imminent material cyber event that only he knew about and sold his stock to take advantage of the anticipated disparity. That sounds like a plot from my favorite TV show "Billions" starring Paul Giamatti, Damian Lewis, and Maggie Siff.
Unidentified Person: What we do has consequences, intended and unintended. The decisions we make, the actions we bring have weight. Come to work every day and be just and strong in the actions you bring and don't waiver.
Rick Howard: The Occam's Razor principle tells me that it's much more likely that Tim was simply cashing in some of his stock options to either diversify his portfolio, take advantage of a vesting schedule, or to buy a pony. Any of these are more likely than Tim scheming to defraud investors. [ Music ] Did Tim Brown commit fraud before the IPO? What I mean by that is that in the SEC's amended complaint, they said that when SolarWinds prepared for the IPO leadership only presented a "generic and hypothetical cybersecurity risk disclosure." But in internal correspondence, Tim was telling the leadership that the current state of security was vulnerable. Discussions within Tim's security team indicated that they were well aware that the solar winds remote access setup was "not very secure and that someone exploiting the vulnerability can basically do whatever without us detecting it until it's too late, leading to major reputation and financial loss." That pretty much nails exactly what the Russian SVR did. So you can see why the SEC blames Tim, he knew about the problem, didn't fix it, and then the SVR came knocking, causing investor pecuniary harm. That's all well and good, but anybody that's ever been a CISO of a public company, and I'm one of them, knows that the SolarWinds official risk statement in preparation for the IPO was not crafted or single handedly approved by Tim. That statement is not something that senior leadership delegates to the VP of security. Remember, he wasn't the CISO until after the breach became public. In fact, for any company going through the IPO process, the IPO risk statement isn't delegated to the CISO either. That statement is crafted by a raft of IPO lawyers and approved by the CFO and the CEO. Sometimes they might even ask the CISO for input, but that is definitely not the standard practice. The IPO security statement is carefully designed to have just enough detail to get the IPO across the line, but not enough where it might impact the process. From the SEC's amended complaint, it sounds like Tim did his duty. He told senior leadership about the risk to the business, the CEO and the CFO decided to massage that message as is their charter. Their job is to manage risk to the business and to present risk to their investors. They made that call. That's why I'm so peeved that the SEC charged the CISO and not the CEO and the CFO. [ Music ] Whether you're buying into my outrage on this show or not, the decisions of the SEC with their new disclosure rule and they're charging Tim in a civil complaint will change the CISO landscape going forward. For public companies, the new SEC rule implies that you already have some way to determine which cyber events are material and which ones aren't. My guess is that most CISOs don't, but because of the SEC fraud charges, we are all scrambling to figure it out. We'll see a lot more public disclosures because of that rule, which of course is what the SEC wants. There is a legal definition of business materiality that we got from Supreme Court Justice, Thurgood Marshall back in the 1970s. It says that a material event exists when there is "a substantial likelihood that a reasonable shareholder would consider it important in deciding how to vote. Or a substantial likelihood that the disclosure of the omitted fact like the SEC claims Tim did, would've been viewed by the reasonable investor as having significantly altered the total mix of information made available." But I propose that it isn't the CISO's job to figure out what a material cyber event is to the business. That's the CEO's and the CFO's call. Simplified is probably some total dollar threshold in terms of revenue lost, stock depreciation, and recovery costs. Wants to find the CISO can model the probability of that event happening, and then ask the leadership team if the risk is acceptable or do they want to spend resources, people, process, and technology to lower it. I talk about how to do that in the "First Principles" book. As an aside, I published a book two months before the SEC announced their new rule about reporting material cyber events. In the book, I make the case that the absolute cybersecurity first principle, the very first rule in our brand new Generally Accepted InfoSec Principles or GAIP that I just made up, is this reduce the probability of a material cyber event within the next three years. I'm totally taking credit for anticipating the new SEC rule, even though I had no idea it was coming. When I tell my mother-in-law about this, I tell her that I'm a genius. I think she's buying it. COMPUTER-GENERATED VOICE #4. There's going to be a lot of gray area in the next five to 10 years as we learn about which companies the SEC decides to make further examples of. My guess is that there will be some small percentage of the Fortune 500 companies after the experience a major breach. In the meantime, the SEC just dropped a big bucket of cold water on the potential hiring pool of new CISOs. Since CISOs are not typically company officers, they don't automatically get directors and officers insurance, D&O insurance, a type of liability insurance that provides coverage for directors and officers against costly litigation claims arising from their management decisions. To SolarWinds credit, they are covering Tim Brown's legal costs, but this practice isn't the norm. Why would you take this job if you think you're going to get sued, even if you do have insurance, as a bare minimum, D&O insurance has to be part of the compensation package for CISOs going forward. And speaking of compensation packages, I believe the price has just gone up. Some sources say that the average compensation package for a large public company, CISO, that's base plus bonus is about $700,000. For my CISO peers that I've talked to this past year to even consider the job that will have to be much bigger. One of the points in the essay was that in order to get an experienced CISO now with these charges looming with Tim Brown and SolarWinds, the compensation package for experienced CISOs is going to have to go up. And you thought I was just dumb saying that. So tell me -- tell me why you think I'm dumb.
Steve Winterfeld: So, ask that without saying, I think you're dumb because that's more pejorative than I was saying. Just say I disagreed with that.
Rick Howard: I'm going to -- I'm going to try to caveat it a bit. I agree that you could get a inexperienced CISO to take a job for the average compensation package, that's bonus plus salary is about $700,000. And I agree you can find a inexperienced CISO to take that job. What I'm saying is, if you wanted someone who's been in the saddle for a few years, they're going to be wary about taking a job without that being significantly higher. And does that change your opinion at all?
Steve Winterfeld: And I think most people are going to change what they focus on in the compensation package. So if I were to go to talk to somebody about going into a public company right now, my question would be, what does the CFO have in the way of protection during a complaint or class action lawsuit? And then if he has nothing, then I don't know that I could argue I need something unique. If he has a set of insurances that makes sure he's protected as an individual, then I would ask for those same benefits.
Rick Howard: Correct.
Steve Winterfeld: And so I don't think it's about the amount of compensation. It's about being treated as an equal to the responsibility protections that the others have.
Rick Howard: I will also say that if public companies, CISO is going forward after the SEC's filing of the amended complaint, haven't stopped talking publicly about their internal InfoSec program, they really should. There's no upside anymore regardless of how the marketing department wants to use you as an in-house security expert. Those statements can only come back to haunt you later in a future lawsuit. For private companies, the situation is a bit different. There is no obligation to report on material cyber events, no obligation to follow the SEC rules. Still, if you're buying into my first principles thesis, you still have to develop your own definition of what materiality means to you. The way I think about materiality at N2K, a startup with 40 people is to consider the estimated dollar figure in terms of recovery costs and financial loss during the outage that would cause the company to fail. A dollar figure that is a company killer, a cost threshold for which the company couldn't recover. As with the public company, I can model the probability of a company killer event happening and then ask the leadership team if the risk is acceptable or do they want to spend resources, people processing technology to lower it. [ Music ] At the top of the show, I said that I was outraged that in response to an innovative and well executed Russian SVR cyber-attack campaign targeting the SolarWinds company, the SEC decided to make an example of the CISO instead of the CEO and the CFO, that really ticked me off. The SEC claimed that the CISO through internal communication knew that the InfoSec program was weak in several key critical places, but in public statements suggested that it was strong, that investors were paying attention to these public statements and thus lost their investment when the stock price dropped after the attack. But I also said that I was willing to admit that I might be wrong about that outreach and I was using this show to work out my thoughts on the subject to decide if my outrage was wrong. Well, I don't think so.
Unidentified Person: I don't think so, Jim.
Rick Howard: There are several reasons. First, in March of 2024, over 50 former CISOs from companies like HP, Clorox, Siemens, UnitedHealth Group, City National Bank, Salesforce, NTT, and Bank of America attached their name to an amicus brief sponsored by the law firm Cooley LLP. That "supports SolarWinds motion to dismiss the SEC's amended complaint, which contains more than 50 pages of additional allegations against SolarWinds and its Chief Information Security Officer." So at least I'm not alone in my outrage. It doesn't make us right about our anger, but at least we are not the only ones in that state. Second, in terms of the IPO risk statement, Tim may have had some input, but it's likely that he didn't. Even if he did, he wasn't in charge of the final word. The CEO and the CFO made that call with the advice of several well paid IPO lawyers. That statement is not Tim's fault. That clearly lands on the responsibility of the CEO and the CFO. Third, the distance between what Tim was saying in public about the strength of the SolarWinds InfoSec program and what he and his team members were saying internally is quite wide. That sounds bad when you say it out loud like that, but it's common practice, especially for security vendor officials. I've done it myself. You don't present to customers a full and complete dirty laundry list of all the things wrong with the internal InfoSec program. We all have things that we would like to improve there. In public though, you say the positive things you're trying to do, we follow the NIST framework. We do have a policy of strong passwords. It doesn't mean that there are places that we can't improve in both of those projects, and it's not lying. It's choosing to put a positive marketing spin on the situation instead of a, oh my God, the sky is falling and everything is a disaster negative critique that might scare potential customers and investors away. That's what marketing is, and it's more of an art than a science. You have to walk right up to the line of complete fabrication and not cross over it. Many of us have done it to some degree or the other. But like I said before, I think that practice is coming to a grinding call. There's no way that we should be talking in public these days about the state of our InfoSec program. Fourth, the SEC charges imply that there can never be a disagreement among the internal InfoSec team members about potential risks, priorities to fix and general direction. There can never be arguments between InfoSec leaders and practitioners about how to apply their limited resources. And whatever discussions happen, they can't be in email, in Slack or any other digital medium because the SEC will collect those conversations and use them against the CISO in fraud charges. The SEC seems to be implying that there is really only one well-known way to implement the InfoSec program when we all know that the true answer is completely the opposite. [ Music ] Lastly, there is an impedance mismatch between how the SEC and the financial world talks about cybersecurity and how the InfoSec profession does. The SEC world has generally accepted accounting rules 90 GAAP principles for how they present the business. That's what they understand, a rigorous set of math principles that they have all agreed to. The InfoSec profession has a bunch of squishy non-math ideas to select from, to defend the enterprise like the NIST framework, compliance, CIA, and many others. But there is no consensus about which one is more important than the other or which one we should all use. We all have our favorites. Whatever you choose, though, none of them are mathematically rigorous enough to build a bridge to the SEC's definition of materiality. I make the case of how to change that in the "First Principles" book, but the community is a long way from accepting that approach as one of the generally accepted InfoSec principles GAIP, the new InfoSec term I just made up. The noise generated by this impedance mismatch between the two groups causes confusion and misunderstanding. It causes the SEC to think that if Tim would've just implemented the NIST framework, like he said he was doing on the public website, that the Russian SVR would not have been successful and SolarWinds could have protected their investors, that's simply misguided. My hope is that SolarWinds, Tim Brown and the 50 Cooley CISOs have success in getting the SEC charges against Tim thrown out. Only time will tell. It doesn't mean that I think the SEC shouldn't punish anybody. It means that I think they had the wrong target. [ Music ] And that's a wrap. I'd like to thank my friends, Steve Winterfeld, the Akamai Advisory CISO and Ted Wagner, the SAP, National Security Services CISO for coming on the show and help me understand this complex new development in the role of the CISO going forward. I think navigating that space will be very choppy for the next five years or so regardless if you're a CISO or a veteran security professional practitioner. CSO Perspectives is brought to you by N2K CyberWire. Visit the cyberwire.com for additional resources that accompany this episode and check out our book, "Cybersecurity First Principles: A Reboot of Strategy and Tactics" for a deep dive to some of the topics covered on this podcast. I've added some helpful links in the show notes too. We'd love to know what you think of this podcast and your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. And you can also fill out the survey in the show notes or send an email to csop@n2k.com. We're privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams while making your teams smarter. Learn how at n2k.com.
Liz Stokes: I'm Liz Stokes. I'm N2K's CyberWire's Associate Producer.
Trey Hester: I'm Trey Hester, audio editor and sound engineer.
Elliot Peltzman: I'm Elliot Peltzman, executive director of sound and vision.
Jennifer Eiben: I'm Jennifer Eiben, executive producer.
Brandon Kaf: I'm Brandon Kaf, executive editor.
Simone Petrella: I'm Simone Petrella, the president of N2K.
Peter Kilpe: I'm Peter Kilpe, the CEO and publisher at N2K.
Rick Howard: And I'm Rick Howard. Thanks for your support, everybody.
Unison: And thanks for listening. [ Music ]