SEC and SolarWinds – An opportunity to do better?

About a week ago the SEC charged SolarWinds and its CISO with fraud and internal control failures.

There have been many comments from the security community, specially from CISOs that find outrageous to have a CISO charged for failings in security. I think that this is a dangerous oversimplification.

What we know for sure is that SolarWinds was breached in 2020 in a cyberattack named SUNBURST suspected to have been committed by APT29. This affected thousands of their customers, which were corporations, cybersecurity firms, and several international government agencies.

SUNBURST seems to have been ongoing for nearly two years before it was detected and there seem to be genuine concerns about the failure of properly implementing controls.

I really don’t want to discuss guilt. I don’t have all the information, and it will be down to the courts to establish that. For me the interesting aspect has been the reaction from the security community.

The SEC isn’t charging the company and their CISO because of the breach. What the SEC is saying is that the company “defrauded investors by overstating SolarWinds’ cybersecurity practices and understating or failing to disclose known risks”.

So, this doesn’t mean that every US company that is breached will have their CISO thrown into jail. The charges are for lying to investors, failing to disclose risks, and once breached, lying about their lack of security.

It seems that many organisations are applying controls fast and loose without ensuring they are actually working. Basically, checklist security. That’s when an organisation applies security principles so that they can tick them off a list and move on without actually determining if the control works, and if it has in fact increased security.

I guess that some companies think that if they are compliant they are secure, but that can leave them in a more vulnerable position, as they will feel safer than they actually are.

Is this is a common thing? Because some reactions I read make me feel as if this is more prevalent than it should be. Perfect security is impossible to achieve, but when there are opposing objectives in terms of being productive and being secure, companies have to assess the risk and determine how much they are willing to accept.

Bending reality to make the risk seem acceptable so that the company seems compliant is foolish. I have questions about what audits did SolarWinds go through, who ran them, and how they missed irregularities that seemed to be going on for years.

And I get it, CISOs don’t always take decisions on their own, and there might have been a lot more people complicit in massaging the information. My point is that if a CISO is telling a company what they want to hear, and not what they need to, the role isn’t really about security at all. It is about giving the company a credibility varnish, but it won’t improve their security posture.

Moving on, companies that are hiding the truth will be putting themselves at great financial and penal risk, and there might no longer be a worthwhile financial benefit for a CISO to keep quiet and go on with the program.

I am hopeful that this might bring a positive change of culture. Either giving CISOs more influence, or putting them in a position where staying at a company that disregards their advice is no longer acceptable.

Then again, there have been cases where scandals have instead pushed organisations to become even more secretive. I sincerely hope that won’t be the case.