CISOs in the Spotlight: Lessons from the SolarWinds SEC Action

By James Rees, MD, Razorthorn Security

Unless you have been hiding under a rock the last few weeks, you will know about the SEC taking action against the SolarWinds CISO in a landmark case that is going to change the way CISOs undertake their jobs in the future.

The SEC’s action against the SolarWinds CISO is a wakeup call for all CISOs. To protect themselves from potential liability, CISOs must be diligent in risk management, ensure clear communication with all relevant parties and demand a greater level of authority within their organisations. This may also result in an increase in salaries for CISOs and make it more challenging for smaller organisations to hire qualified security professionals.

It is also expected that this shift will not be limited to the US but also extend to Europe with the impending DORA legislation.

Personal Liability: A New Precedent

It has become clear that a precedent has now been set for CISOs to be personally liable for deficiencies in the way that their employers deal (or do not deal) with security vulnerabilities and risks in the future. This is going to mean CISOs must be exceptionally careful with their risk management in the future, making sure they carefully assign risk owners, retain information and communications covering discussions or decisions on handling those risks going forward, just in case they find themselves in the same situation as the SolarWinds CISO.

The word in the community over the last few weeks is that from now on, CISOs will have to choose future roles very carefully and ensure that before they take on a new position, they receive solid guarantees that they will be taken seriously by the C-suite and be given the authority to communicate with outside governing authorities as well as shareholders regarding the exact status of security and risk management, as required.

This is not just for organisations in the states, but likely in Europe to comply with the upcoming DORA legislation as well.

What it comes down to is that CISOs may finally get that position in the C-Suite that they have been due for such a long time now. 

The Way Ahead

The SolarWinds case has certainly sent shockwaves through the industry, and has had a profound impact on how CISOs view their roles and responsibilities. It’s clear that they can no longer afford to operate in a silo; they must have a direct line of communication with the board and other executives to ensure that they are all aware of security risks and vulnerabilities.

Additionally, they must be able to communicate these risks effectively to all relevant parties, be it internally or interested parties such as governing bodies that are tasked to regulate security and advocate and, where required, enforce security throughout the organisation.

Challenges and Opportunities

This new level of responsibility will not be without its challenges. For one, I suspect this will drive up the wages for CISOs and further push the ability to procure a qualified CISO out of reach for mid-sized and smaller organisations.

Furthermore, there may be resistance from other members of the C-suite who are not yet convinced of the need for such a role. It is therefore crucial that CISOs demonstrate their value by highlighting the potential financial and reputational damage that could result from a cyber attack.

In Conclusion

While these challenges may seem daunting, they represent an opportunity for CISOs to prove their worth and cement their place in the boardroom. The SolarWinds case serves as a stark reminder of what can happen when security is not taken seriously at all levels of an organisation.

Contact us today to review your defence in depth strategy and find out how to strengthen your defences.