The SolarWinds proceedings – Some Reflections for the CISO Community
On October 30th, the Securities and Exchange Commission announced charges against SolarWinds Corporation and its chief information security officer, Timothy G. Brown, for fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities. The proceedings have caught the attention of the CISO community. They lead to some immediate practical reflections, as to what CISOs can do to reduce exposure, what the CISO community can achieve together, and what other policymakers can do to promote cybersecurity. In addition, these reflections highlight a possible role for the CISO community in developing ethical best practices that can often inspire and guide the development of legal norms in evolving areas. CISOs can take the lead.
Setting the scene – Regulating the CISO through securities enforcement
The facts of the case matter, and these are apparently disputed and will be resolved in a legal procedure that is unfolding. But as the SEC stated, the case has intended, wider implications for companies and the role of the CISO.
The SEC charges against SolarWinds and Brown deal with some of the key challenges facing information security professionals working for a software development company. These all add up to effectively managing the tension between operations and security.
This requires not only technical expertise, but clearly communicating technical and operational risk and exposure to internal stakeholders within the rich corporate ecosystem (Boards, Auditors, CIO, CFO, CRO, investors, etc.). While the CISO is the subject matter expert, the board is responsible for deciding what are the corporate “crown jewels”, the resources for their protection, and corporate priorities and risk appetite.
For publicly traded companies, the securities regulation context amplifies the challenge. While sector-specific regulation focuses on cybersecurity risk management, securities regulation also regulates statements about the state of affairs in a company. Thus it requires communicating these complex and sensitive discussions and decisions publicly. This is tricky because it means describing sensitive issues such as security, risk management and exposure publicly.
Practical implications for CISOs
Clarifying, formalizing and documenting roles and responsibilities
The proceeding highlights the tensions between the different roles of a CISO as a cyber defender and risk manager, business enabler, and executive. The CISO should be aware of the potential conflicts between these roles, and manage them, rather than let them manage him. This means proactive steps to clarify to oneself how these tensions play out in the organizational context, and how to handle them. These reflections resonate and illustrate some of the recommendations in Team8’s CISO’s Guide to Legal Risks and Liabilities, written in collaboration with Team8’s CISO Village and SINET.
A best practice is to make sure the CISO’s view of his role and responsibilities is aligned with formal documents, such as employment contracts and organizational procedures. This can improve clarity in organizational settings, focus on the main mission, and reduce potential organizational tensions and legal risks. Consulting with private counsel, and having adequate insurance coverage, can complement these efforts and reduce exposure.
Speaking truth to power – the CISO and the Board
CISOs should be clear about their roles as subject matter experts and their interfaces with stakeholders in charge of risk and operations. CISOs should make sure that decisions about risk appetite, and adequacy of mitigation measures, are led by the highest level of the organization, taken in a comprehensive manner, and documented. In this context, CISOs should invest extra efforts in communicating and explaining findings and recommendations to the Board. When CISOs are also part of the senior management, they should carefully navigate the operations-security discussion.
The CISO and cybersecurity statements and disclosures
Public facing statements by CISOs are considered part of organizational promises. CISOs need to be aware of this and careful in the way they describe their tradecraft. Emphasis can be on discussing goals, best practices, and lessons, rather than promises about abstract outcomes. Double-check if the way you describe what the company does can be considered inaccurate or overstated. The SolarWinds proceedings highlight the extra weight that public statements by CISOs, as subject matter experts, carry.
Beyond “boilerplate” disclosures – adding details and context
Publicly traded companies need to explain to investors what risks they are facing and how they deal with these risks. Many times, this has lead to the use of “boilerplate” disclosures, which describe in general terms the risk environment. In the cybersecurity context, this approach aims to balance between the need for disclosure and creating unwanted technical or legal exposure. It also reflects the ongoing challenge of cybersecurity, in which technical risk, threat actors, and mitigation measures constantly change.
In the SolarWinds charges, the SEC criticizes the use of “boilerplate” language that does not give investors the information they need to make decisions.
This requires developing a more sophisticated approach to cybersecurity-related disclosure, both in detail and an in context. A first step, guided by the SEC itself, is discussing the corporate approach in more detail.
In addition, a rule of thumb would be an effort to move beyond “boilerplate” and contextualize these elements to the specific corporate cybersecurity risk posture. It should aim to describe the processes to locate and mitigate risk in a way that does not create a security risk.
While the CISO is the subject matter expert for security, the right amount of disclosure is a corporate decision, to be taken with the company’s relevant stakeholders, and its legal counsel. The CISO should support the discussion as far as possible, making sure the information is accurate, and can not be considered false or misleading. Yet the organization should have final responsibility for what is reported. This point resonates with the importance of defining roles and responsibilities clearly.
Huddling together – from best practices to professional ethics – the role of the CISO community
Ethical best practices can often inspire and guide the development of legal norms in evolving areas. The CISO community itself should see this proceeding as a recognition of its key role. The CISO profession is relatively young and a newcomer to the corporate suite. As it develops, there is a role for the development of a professional community with shared views on the substance of the profession, what it means to practice good cybersecurity, as well as its ethical obligations to different stakeholders.
Each of the issues discussed above, such as the tensions between operations and cybersecurity, relationships with internal and external stakeholders, and legal exposure, can benefit from collective experience and wisdom. These discussions can possibly lead to shared, global understandings about collective norms about the meaning of “speak truth to power” and also when CISOs need to push back. CISOs can take the lead.
Policy implications – accompanying sticks with carrots to promote innovation
From a policy perspective, the choice of the courtroom as an arena for developing norms of behavior for CISOs means an adversarial setting between the parties – the SEC, the company and Brown. This type of deliberation enables concrete fact-finding and a tailored normative response to the facts of the case. Yet, when searching for implications outside the concrete circumstances of the case, it would be useful to have a more deliberative and inclusive procedure to complement the SEC proceedings with “rules of the road” for the CISO community.
As suggested in a recent Team8 CISO Village report in response to the White House RFI on the subject of cyber security regulation harmonization, community-based insights are needed to inform further norm-setting. This would not undermine the SEC proceeding, but would help complement the stick with the carrot. Indeed, it is interesting to note that both the 2018 SEC Cybersecurity Rule and the more recent 2023 Rule, do not specifically formally address the CISO. Thus, more work could be done on exploring the role and relationships of the CISO within corporate management’s role of assessing and managing a company’s material risks from cybersecurity threats.
This is even more important given the quickly evolving technological and regulatory ecosystem such as in AI. On the same day that the SEC pressed charges, the White House published a comprehensive Executive Order dealing with Artificial Intelligence, in which safety and cybersecurity play a core role (. Thus, it is imperative to recognize the real-world challenges of promoting innovation in the quickly developing world of technology, while mitigating risk. In this manner, see Team8’s guide, written in partnership with our CISO Village community: Generative AI and ChatGPT Enterprise Risks). Complementing the SEC charges with more clarity based on multi-stakeholder discussions could prevent potential chilling effects on CISOs in high-risk areas such as AI. It would also support developing measures that can empower and incentivize stakeholders in their respective roles in promoting cybersecurity. Such work could help create best practices, and also set the ground for potential safe harbors to incentivize CISOs that are business enablers.
DISCLAIMER: These materials are provided for convenience only and may not be relied upon for any purpose. The contents of this document are not to be construed as legal or business advice; please consult your own attorney or business advisor for any such legal and business advice.