cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Caute_cautim
Community Champion

SEC charges SolarWinds CISO with fraud

Hi All
 
Prepare for the ramifications.....
 
 
The complaint was filed in the Southern District of New York and centers on violations of the anti-fraud provisions of the Securities Act of 1933 and of the Securities Exchange Act of 1934. The SEC “seeks permanent injunctive relief, disgorgement with prejudgment interest, civil penalties, and an officer and director bar against Brown."
 
Clients have received the following:
 
 
 
Regards
 
Caute_Cautim
 
 
5 Replies
Caute_cautim
Community Champion

Hi All

 

The recent charges against SolarWinds Corporation and its Chief Information Security Officer (#CISO), Timothy G. Brown, by the Securities and Exchange Commission (SEC), highlights the crucial intersection between cybersecurity, transparency, and accountability within organisations.

The Securities and Exchange Commission brought charges against SolarWinds and its CISO for alleged fraud and internal control failures related to #cybersecurity risks and #vulnerabilities. The complaint suggests that SolarWinds misrepresented its cybersecurity practices to investors, failing to disclose specific deficiencies and risks, leading to misleading public statements about the company's security posture. Additionally, internal communications indicate the company's knowledge of vulnerabilities, which were not adequately addressed, ultimately affecting their ability to protect critical assets.

This situation could prompt a reevaluation of CISO roles and responsibilities in #Australia and #NewZealand, potentially leading to stricter regulatory measures or guidelines to ensure proper disclosure and management of cybersecurity risks within organisations. Authorities might impose additional compliance requirements, thereby influencing how CISOs function and their accountability in ensuring robust security measures and transparent #risk reporting.

The actions taken by the SEC against SolarWinds and its CISO underscore the increasing emphasis on #transparency and #accountability in cybersecurity practices. This highlights the necessity for CISOs to be positioned appropriately within an organisation, with direct influence to address and manage risks effectively.

The case indicates the critical role CISOs play in not just identifying but actively addressing cybersecurity risks. It also emphasis's the importance of fostering a #culture where concerns about security are not just acknowledged but acted upon, ensuring a company's cyber #resilience.

This enforcement action underscores the imperative for organisations to implement robust controls aligned with their risk environment. It also signals a need for CISOs to actively communicate, address, and elevate security concerns within their organisations. Moving forward, I anticipate further examples and cases that will continue to stress the need for strong cybersecurity measures and ethical transparency in corporate environments.

 

https://lnkd.in/gQ4WMUCe

 

Regards

 

Caute_Cautim

JKWiniger
Community Champion

I would guess the CISO did not have a seat on the board as should be required, and ultimately shouldn't it be the CEO that should be held accountable. For some reason it comes to mind years back after a breach it was found the CISO had a degree in music! We need people who are properly trained and are in the position to do what needs to be done.

 

John-

Del
Newcomer III

There were reports, back in 2017, that the Equifax CISO originally majored in Music ... I felt then, and still do, that should not have been seen as a failing, in the absence of any other information about that person's skills, experience or competence to hold the position.

 

My primary degree is in optical physics. The smartest security person I know majored in Finance, and I can not count the number of reputable and skilled security people I know who never finished college at all.

 

I agree that proof of competency is required for senior C level positions including CISO ... but I would be slow to narrow that scope to security related degrees; professional training, certification and proven experience all have to be considered too.

Steve-Wilme
Advocate II

Isn't the whole point of security certifications of various kinds to make it far less relevant what degree a holder originally took.  So many people enter infosec as career change, it would be unreasonable to later criticise competent professionals for a prior training and qualifications.  

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
ericgeater
Community Champion

Jacob Horne made an interesting post on LI today about this topic.  We may have an opinion about whether it's too heavy-handed for the SEC to charge Brown and Solarwinds, but Horne suggests the SEC likely got its position from an earlier lawsuit brought against Solarwinds by their investors

-----------
A claim is as good as its veracity.