In most public companies, CISOs are not "real" C-level positions. They're not considered "directors and officers" of the company in the sense of the securities law, they don't have special contracts, they don't rake in exorbitant salaries, they don't have golden parachutes. They don't routinely participate in board meetings or shareholder reporting.
If I recall correctly, at Apple, the CISO role was some guy reporting to the corp IT org, entirely separate from core products and services. And we're talking about one of the most valuable and sophisticated tech companies in the world.
Amazon had an even wackier model, with separate "CISOs" for different orgs, the term meaning not much more than "a senior manager that we can put in touch with clients if needs be." Google now has a "cloud CISO" who is a nice techie guy and talks to customers, but is not actually the person in charge of the overall Google security org.
I get it that the SEC wants to change this culture and have a designated person meaningfully responsible for infosec risk, but it feels that it's a case of stick before the carrot. They have the power to reinterpret their own rules to elevate CISOs before they start cracking down on them with personal liability lawsuits.
And I'm betting that just like in the case of Uber, the CISO will end up in trouble, while all the execs will get to claim ignorance and walk free.
If we're being critical here, I'd also argue that often the CISO's job and main concern is simply making sure they have the right paperwork and motions in place to pass a given set of industry audit standards. These people are not always even capable of understanding the technical security of a product.
Paper security like this is often a minimum bar, and sometimes even below minimum when the audit checklists lag best practices like "password rules" requirements did for so long.
I agree that if the CISO is liable, they should also actually be responsible, but making the CISO responsible won't by itself fix the industry's security issues.
The password example feels egregious, but keep in mind that the investigators spent months if not years combing through corporate records and are now showcasing the most embarrassing finds in the framing of their choice. I bet there's not a single company in the world where some engineer didn't at one point set up a dumb password as a part of some one-off integration. The job of the security team is to systematically track down stuff like that, but you never reach 100%. There are things you don't see.
What feels particularly weird here is that SolarWinds wasn't compromised by a Bulgarian cybercrime gang. They were compromised by a nation state. While the SEC is notionally focusing on other stuff, this is ultimately the company's original sin. How many businesses, no matter how strong their security posture, can really say that they're immune to that?
The problem is not being hacked. The SEC doesn't want companies to be hack proof or to force them to dump millions into security.
They want companies to be more transparent and honest with shareholders about their current security gaps and for them to report hacks in a timely manner. It's fine to be insecure but honest, what is never fine is lying to investors.
Bad investments are fine, bad investments pretending to be good ones aren't.
I'm not here to defend SolarWinds, and it's entirely possible that they were a "bad investment pretending to be a good one", but I have some issues with this framing.
First, contrary to your assertion, there is no doubt that they're in trouble because of getting hacked by a nation state (and dutifully disclosed it). This wasn't some routine audit, wasn't a whistleblower complaint. The only reason the SEC went after them is that they had the misfortune of falling prey to an attack that few other businesses could conceivably repel. So, I'm not sure that's sending a great message.
Second, the complaint isn't showing that the company brazenly and deliberately deceived investors. It's not that the SEC peeked under the hood, immediately realized this is messed up, and had to act. No, they spend months poring over every email - and all they came up with is not exactly a smoking gun. The whole complaint is basically "the company only made generic investor disclosures, but we found instances where specific employees pointed out more specific deficiencies."
Ignoring the one-sided narrative of the complaint, the actual quotes they have don't paint the picture of a deliberate conspiracy. They paint the picture of normal day-to-day communications where people sometimes say dumb things, blow things out of proportion to try to get resources, etc.
I think your stance is way more balanced, I was mostly speaking to what I believe is the message the regulator wants to send, regardless if it's fair in its essence. Thanks for balancing out the thread.
The thing that was so egregious about Solarwinds is that, given their line of business, they were obvious targets for nation state actors. This is similar to any business that itself is a supplier of highly privileged software to large numbers of clients (e.g. password managers or cloud providers are in the same boat).
And while the password example could have been a one-off, everything I've read about Solarwinds says they had a horrendously bad security culture. Bad security cultures are essentially unfixable without a top-down, CEO-driven initiative that places real carrots and sticks for individuals' security posture. Even then, 95% of these initiatives are bullshit, because they boil down to "Security is our top priority! Oh also if we miss our revenue targets a bunch of people are getting fired."
I think the CISO's actions were pretty bad, but I also think there are lots of other execs at Solarwinds who are quite happy he's now the sacrificial lamb.
Nation states like anyone else have budgets. No company is immune to the full weight of a major nation state but most of the time that is not brought to bear. You don't need to be impossible to hack, you just need to be hard enough that the value provided is less than the effort required.
Still a pretty tall order, but a few steps down from impossible.
Isn't this a "I don't have to be fast, just faster than you" scenario when a bear is chasing you and all your peers?
There's always going to be a curve and if anyone on the front side of the bell curve is below the threshold for "worth the effort" then this seems like a useless goal. I agree with other posters that this is more about transparency.
>I get it that the SEC wants to change this culture and have a designated person meaningfully responsible for infosec risk, but it feels that it's a case of stick before the carrot.
They have that already, it’s the CEO - he is supposed to have ultimate responsibility which is why he (or she) gets obscene compensation. They should be incentivized to hire the best CISO he can find because he’s facing jail time if he doesn’t.
Instead he has 0 responsibility because literally everything is an underlings fault.
It's somewhat wild: I remember as a kid being taught that those with the power are the ones with the responsibility. And yet once I entered the workforce, it turns out it's the opposite.
While this may be true most of the time, there are cases where the CEO has taken full responsibility. A podcast [1] by Darknet Diaries on a breach in 2015 at mobile provider TalkTalk in the UK tells of such a case.
Here it's worth remembering that CISO is a "specific" role; it does not necessarily connote "most senior security person in the company"; some companies have more than one; some companies have a "CSO" and/or a chief of "risk"; at Apple (for all I know) it might just mean "most senior security person in IS&T". Apple has a sprawling and multifunctional security team.
If your claim is that all of security at Apple somehow reports up through IS&T, I have some reason to believe that is not the case.
Oh, we're saying the same thing, and I misconstrued you; I thought you were making a comment about how lackadaisical Apple is about security, but you're just saying "CISO" isn't that big a thing. I agree! Sorry about that.
He's being sued for his actions not because of his position - he was responsible for acknowledging the issues internally and not acting on them, he was responsible for the language of statements made to shareholders that misled them about the state of security.
If he had sent an email to the CEO saying "we have a problem, we need to do something about this" and the CEO had overruled him, the CEO would be being sued directly.
It doesn't really matter what his role or how high up he was - he was found standing over the body holding the smoking gun.
The problem wasn't that they had bad security and were hacked. The problem is that they lied to investors about their security and about the hack. So if a CISO was the one telling the lies (and you seem to acknowledge that their main purpose is talking to clients, but maybe its also talking to investors) then they seem to be the right person to charge even if they weren't responsible for the bad security.
I don't know security law at all but I have always seen CISO equivalent positions to be "Director" level, reporting typically to the CFO or to A C-level of some org who reports to another C-level and so on depending on size and complexity. But you are right in that they're just regular mid level managers, not directly accountable to the board.
"Directors and officers" are a special legal category, basically the highest-ranking people making material decisions about the business day-to-day. They are subject to special reporting requirements, such as having to file paperwork whenever selling or buying stock (which usually needs to happen under a trading plan). They often have specialized contracts, company-provided liability insurance, and a variety of perks you associate with "real" executives at public companies - from corporate jets to eight-figure salaries. We're talking about the CEO, CFO, CTO, and so on.
This is similarly-sounding but completely separate from the "director" job level at a typical tech company, which is basically just a senior manager of a large team or maybe the lead of a mid-size department. Your average CISO is probably in this ballpark, commonly at least 2-3 reporting levels below real C-leadership.
The CISOs I've worked with were usually Directors, or VPs, and in 3 cases so far, lawyers who made it into IS/IT management. Their CISO duties/powers were thin. Head-nods and "let's set up a separate meeting for that" level.
I am going bet a pillow case of slightly squished mini candy bars that Tim Brown might have been a good technologist, but that he might have been told to sit down and color.
I am saying this because reading the interview notes:
> BROWN: It was crazy. So our CEO got a call in the morning from [Mandiant CEO] Kevin Mandia. And then he called me, and then the CTO for FireEye called me. That’s our nightmare moment. [Oct. 26, 2021 Cybersecurity Dive]
Was the Mandiant CEO friends with Solarwinds CEO, to make the call to the CEO instead of the person that (presumably) signed their vendor contract, the CISO?
> SolarWinds did almost immediately was create a cyber-specific committee on your board
I read this as "there was no one, not even the CIO at the board."
If you are a CISO, and you are have to decide between your livelihood for the rest of your life guaranteed by a company, or your livelihood for the rest of your life taken by regulators, where do you go?
If the CISO says to the Corp "no, I am going public/won't lie/[insert insubordination]", no one will hire them thereafter.
If the CISO says "okay, let me sit and color", go to jail, and no one will hire them thereafter.
Yeah, I think you really hit the nail on the head with this one. I want folks to be held accountable, but considering the forces/incentives at play, I worry what you're left with is a CISO role that no sane person would take, so instead it's just taken by grifters who take the "gambling" route - let's just hope the chance that some major breach happens doesn't do so on my watch, but if it's "damned if I do, damned if I don't", might as well collect a fat paycheck while I see what happens.
Exactly my point - if he resigned quietly, the company would hire a "yes man" that exactly fits the profile I described. If he resigned loudly, he probably would be pretty unhireable, at least as another CISO.
In neither case do the customers at any company get the benefit of actual improved security.
Who holds the CSO-equivalent job in the government? It's the president or prime minister, isn't it? Because ultimately all decisions have an impact on security.
Among other factors contributing to corporate/white-collar corruption & fraud, this is what happens when you have a culture of nepotism & nepotistic CEO.
The HR Chief of SolarWinds is the cousin of the CEO (Sudhakar Ramakrishna) of SolarWinds. Same was true at their previous company (Pulse Secure).
In many global cultures, this is completely normal-- and those are cultures which have high rates of endemic, prolific corruption, such as South Asia & Latin America.
I would like to see more insiders speak out & blow the whistle on corrupt trade practices under this CEO.
If any investigators or journalists would like more info, feel free to contact: anti.corruption.123@proton.me
"As they sow, so shall they reap."
"In human life seek justice, truth, temperance and courage, and you will profit from the supreme good that you have discovered." (Marcus Aurelius)
You mean the spin they themselves induced on a broad cultural scale, over the course of centuries, such that it has become prolific and engrained?
...No one is allowed to comment on it.. because... Fraudulent Activities should be Accepted, And Not condemned, And no one is allowed to discuss it? Just trying to understand your logic, truly in good faith.
... And other nations should just accept it eh? `Fraid not, ole chap.
...After all: Isn't that how they got there-- by silencing opposition to their activities?
______________
"Nepotism has been and remains one of the biggest curses of political development in South and Southeast Asia." [1]
"In the late 20th century, some Asian leaders including former Malaysian Prime Minister Mahathir bin Mohamad advocated "Asian-style capitalism," which meant a state- or family-led economy. But this system is showing signs of doing more harm than good to many Asian nations which have joined the ranks of middle-income countries." [2]
"When a leader gives his daughter a government contract, it’s nepotism. But it’s also cooperation at the level of the family, well explained by inclusive fitness, undermining cooperation at the level of the state. When a manager gives her friend a job, it’s cronyism. But it’s also cooperation at the level of friends, well explained by reciprocal altruism , undermining the meritocracy." [3]
... "It’s no surprise that family-oriented cultures like Mexico and Brazil are also high on corruption, particularly nepotism." [3]
[2] "Asia's emerging countries need to move away from nepotism, cronyism". Nikkei Asia - Business News. July 26, 2014
[3] "In Latin America as in the wider world, corruption is rooted in our relationships". London School of Economics and Political Science (Latin America and Caribbean Center). Michael Muthukrishna. October 23rd, 2017
[General Reference] "The Corruption Perceptions Index (CPI) is an index which ranks countries "by their perceived levels of public sector corruption, as determined by expert assessments and opinion surveys."
https://en.wikipedia.org/wiki/Corruption_Perceptions_Index
Unlike in certain Western countries where we have systems and processes in place to ensure that, I don't know, incompetent progeny do not become senior staffers in the White House.
A brand new account fishing for confidential info, that when asked why people should do so has gone off the deep end and started calling me names. Telling me to move to a corrupt country where I'd be welcome, etc.
To me (!), that doesn't seem like a level headed person that should be entrusted with anything important. You may feel otherwise of course. ;)
How do you even know where the previous poster does live?
Nepotism is a staunchly human thing and very much visible in all societies. I grant you that there have been authors suggesting nepotisim is a problem in south america and south/east asia. Its also an issue in Europe, in fact it's an issue in North America as well.
The national bent is unnecessary. The aggressiveness belies ulterior motives too easily.
You seem to have a vested interest in de-railing the conversation.
I am the one sharing details-- such as the current SolarWinds CEO's cousin being in charge of the HR department of SolarWinds-- both of whom are native Indians (known to be a culture with rife corruption, fraud, and nepotism as discussed throughout many sources of reputable literature and journals).
I said: "Are you an Anarchist?" (i.e. someone who doesn't care about law enforcement) "If so, have you considered moving to Venezuela or Somalia-- You may find those societies preferable."
You’re right if global cultures includes all cultures - even US. It’s how businesses and governments work worldwide unfortunately. The USA just (and has) had multiple presidents who were nepotistic.
This, nepotism is rife in private American companies of all kinds from my own experiences and others.
O God, there's at least one company, I personally have experience with that not only is a nepotistic hellhole, but is actively defrauding the government and a few big names. The result of spoiled brats getting control of a very niche private hardware engineering company after their father died.
I guess the real question is if they're generally effective?
For comparison, Australia theoretically has protections for whistleblowers. But it's unfortunately common for whistleblowers in practice to get royally shafted, have their life destroyed, (etc). :(
^* "Corruption continues to fester, aided by scandals surrounding the COVID-19 response, and is fueling popular outrage. In Peru, for instance, ministers received preferential treatment for vaccines, and in Argentina, government officials set up “VIP immunization clinics” for family and friends."
"Beyond these instances of favoritism and nepotism, the crisis has resulted in the further weakening of judicial independence and the rule of law. In Guatemala, President Alejandro Giammattei has presided over dramatic steps against judicial oversight in recent months, including the sacking of the country’s top anti-corruption prosecutor. These maneuvers—coupled with underperforming economies—have further dented public support for elected officials and trust in government."[1]
I’m don’t like that this is being pursued by the SEC. Especially since the likely penalty will be a large chuck of money that gets paid to… the SEC. Too much like extortion.
But as Matt Levine often reminds us - everything is securities fraud. If a bad thing happens and you did not warn investors about it beforehand, you can be sued for securities fraud by the SEC.
It’s almost like it’s illegal for investors to lose money, and the SEC enforces that requirement.
Investing is risky, bad things can happen, including execs that make mistakes (not talking about actual deception and fraud here) and investors should not be surprised when they sometimes lose money, or seek the strong arm of the government for relief.
This is like saying police officers shouldn't enforce speed limits because the ticket ends up back in the police department, and you could certainly make a point for a conflict of interest, but there is traceable proof. What actually happened in the SolarWinds instance seems to be actual deception and fraud. Plenty of companies go out of business due to competition, this isn't one of those instances.
Don't you count the following as "actual deception and fraud"?
> SolarWinds allegedly misled investors by disclosing only generic and hypothetical risks at a time when the company and Brown knew of specific deficiencies...
> SolarWinds’ public statements about its cybersecurity practices and risks were at odds with its internal assessments...
> SolarWinds and Brown engaged in a campaign to paint a false picture...
"As the complaint alleges, SolarWinds’ public statements about its cybersecurity practices and risks were at odds with its internal assessments, including a 2018 presentation prepared by a company engineer and shared internally, including with Brown, that SolarWinds’ remote access set-up was “not very secure” and that someone exploiting the vulnerability “can basically do whatever without us detecting it until it’s too late,” which could lead to “major reputation and financial loss” for SolarWinds. Similarly, as alleged in the SEC’s complaint, 2018 and 2019 presentations by Brown stated, respectively, that the “current state of security leaves us in a very vulnerable state for our critical assets” and that “[a]ccess and privilege to critical systems/data is inappropriate.”"
So I think if I'm reading that right, he knew things were “not very secure” and part of his role was to disclose that, and he didn't? I assume there's some rules in place that C level folks sign off on statements and he's the one to sign off on statements about security?
You're not reading that right: the problem isnt that this engineer knew the problem, it s that he gave management presentations about it and they didnt fix it.
It’s that they knew about it and didn’t disclose it.
When a company IPOs the SEC requires it to file a document that contains all known risks to the business and all possible factors that could negatively impact the company’s value over time. It sounds like they failed to include this specific known incident in their filings with the government.
I lost a lot of respect for Matt Levine with the pretzels he contorted himself into trying to defend the Texas Two Step as "really, truly, better for the plaintiffs", ignoring the two elephants in the room: if it was beneficial to the plaintiffs, why would the defendant go out of their way to do it? And how is it, by magical coincidence, that every firm that has done the Texas Two Step has managed to get out of paying up an average of over 90% (approaching 98% in a few cases) of their anticipated liabilities for decades of malfeasance and injury?
Matt and these firms would like us to believe that we should just trust them, "it will be so much more convenient and cheaper for you to sue us this way - we want to make sure we look after you... now. And we, really, truly, honest-to-god, promise that we'll actually fund the liability-stricken new entity we create^".
I have no doubt he understands the process better than me. Absolutely.
The outcomes speak for themselves though. Companies projecting $50B in liabilities for decades of injury to thousands of people funneling them into a shell company, "pledging" to fully fund that company, throwing maybe $100-300M into them, and then shuttering the company without fulfilling that pledge. That's the common outcome to each Texas Two Step story.
But Matt and these companies and the firms (I mean firm, there's essentially one firm whose livelihood is this process) all patronizingly try to convince us that that outcome is somehow "better for plaintiffs and consumers", when the only one that seems to actually win is the corporation that successfully shed the boat anchor it put around its own neck.
Do you have a link to Matt Levine's article? I've just skimmed his emails that have "Texas Two-Step" and don't see any defense thereof (mostly just explanations around J&J), but could well have missed it/before I started subscribing.
The dirty secret is that almost every award for companies is pay to play. Some just obfuscate it better than others (e.g. gartner, forester or other big boys) rather than making it a straight up cash for award play.
If you aren’t paying to talk to analysts, sponsor events for their customers, etc… they aren’t going to pay attention to you or listen to what kind of products/services you provide. You do the same thing with customers, put them on bullshit advisory boards or whatever.
Boom! You are part of a wave or end up in one of the quadrants.
”The volume of security issues being identified over the last month have [sic] outstripped the capacity of Engineering teams to resolve”… Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls
I read this is as we are sinking and we will take all of our customers down with us.
If you ever wondered why your CISO seems to be over promoted as an executive, this is the reason. A lower level manager can't take the fall for the CEO/company.
The billion dollar question: do we think SEC filing disclosures are about to get a bit more interesting to read? Or is the standard boiler plate "we might get hacked, our controls may not be sufficient" going to remain?
According to wikipedia SolarWinds suffered one of the largest cyberattacks against a company in history - one that also directly affected thousands of consumer devices (not just a company backend). This might be a unique consequence of a unique situation. But who knows.
> In February 2021, Microsoft President Brad Smith said that it was "the largest and most sophisticated attack the world has ever seen".
Brad Smith (https://news.microsoft.com/exec/brad-smith/) is a PR person at Microsoft. His role is to make loud statements on matters he has no knowledge of or qualifications to talk about.
Well, when you are a CISO you also need to know your actual responsibility.
In Europe you are a normal employee with normal responsibilities and nobody sane would risk their future by going against the law. The IKEA CSO did that and was in jail.
I was asked twice to provide a statement for a US court (being European and living there). Just for the fun I asked or legal department to provide me with a full written explanation of the consequences, the risks and how much I would get paid to do something like that that is outside my contact. Everything stopped there and some poor fellow in the US did that instead.
I then asked why this isn't the legal dept that is issuing these statements in the name of the company. I got some complex explanation why they could not bear the risk.
Being a CISO means managing risks, including yours.
It’s interesting to see SEC go after a CISO, yes he was at the helm but can’t the one to patch systems… yes they had an ongoing attack but disclosing that to shareholders is a sensitive affair… they were also a technology provider to the US government. I honestly think that is what got them the teeth of the SEC.
They weren't charged for having deficiencies, they were charged for knowing about their deficiencies and lying about them:
> SolarWinds allegedly misled investors by disclosing only generic and hypothetical risks at a time when the company and Brown knew of specific deficiencies in SolarWinds’ cybersecurity practices as well as the increasingly elevated risks the company faced at the same time.
CISOs are still often not considered C-suite, and rarely get called to boardrooms.
Commensurating with the new risks for a CISO, a seat in the C-suite, E&O coverage, and nice parachute are the minimum CISOs should get.
Edit: I understand that in this case there were false statements made. That still does not remove the new risk for other CISOs to be dragged into quagmires they were not responsible for (see regulation discrepancies between various US, UK, or EU departments).
The SolarWinds case ups the stakes for CISOs everywhere. Are you secure? Yeah? Would you bet your life on it?
How about a "dissenting opinion" envelope where a CISO lodges his most critical objections to the company's most egregious security sins? This can be discoverable as evidence if there is ever an incident. This clearly establishes that the CISO performed his function and warned of the risk but was overruled by the CEO or the Board. "Yeah? We can't afford MFA? No problem. I'm just going to note my dissenting opinion just in case this comes back to bite us."
If you have something interesting to say about Kaseya (and it's on topic) by all means say it. But please don't leave these kinds of contentless "now do X" posts here.
Oh sure - I could talk about how their CISO is a former FBI agent who, prior to joining the company, was responsible for investigating the distribution of ransomware via their VSA product. Nothing shady there.
Or perhaps that their (rapidly shrinking) security team has been told to communicate via Signal so their messages can't be subpoenaed successfully.
Also, the question regarding Kaseya knowing about this well in advance and firing the person that tried to get fixes prioritized over features: "One of the former employees said that in early 2019 he sent company leaders a 40-page memo detailing security concerns and was fired about two weeks later, which he believed was related to his repeated efforts to flag the problems."
If I recall correctly, at Apple, the CISO role was some guy reporting to the corp IT org, entirely separate from core products and services. And we're talking about one of the most valuable and sophisticated tech companies in the world.
Amazon had an even wackier model, with separate "CISOs" for different orgs, the term meaning not much more than "a senior manager that we can put in touch with clients if needs be." Google now has a "cloud CISO" who is a nice techie guy and talks to customers, but is not actually the person in charge of the overall Google security org.
I get it that the SEC wants to change this culture and have a designated person meaningfully responsible for infosec risk, but it feels that it's a case of stick before the carrot. They have the power to reinterpret their own rules to elevate CISOs before they start cracking down on them with personal liability lawsuits.
And I'm betting that just like in the case of Uber, the CISO will end up in trouble, while all the execs will get to claim ignorance and walk free.