A lawsuit brought by the US Securities & Exchange Commission (SEC) against SolarWinds has been dropped. The legal fire was also directed at the company’s CISO, Timothy G. Brown. Brown’s alleged personal responsibility will now not be determined in court. It therefore appears that CISOs have less to fear from the law than previously thought.
CISOs are responsible for securing their company’s IT infrastructure. For that reason, it is not surprising that Brown was called to account in a lawsuit in this capacity. Due to alleged fraud and fundamental internal control errors, the SolarWinds CISO is said to have contributed to the large-scale SUNBURST cyberattack. Through a supply chain compromise, Russian spies managed to place a backdoor in SolarWinds’ Orion network monitoring system. Roughly 18,000 organizations were affected by this backdoor.
Jointly dismissed
The SEC, SolarWinds, and its CISO have now jointly asked the court to dismiss the civil enforcement action against the company and Brown. This is not too surprising: the case was brought in October 2023 but was largely dismissed by a New York court in July 2024. According to CRN, it seemed at the time that the parties would reach a settlement, but that now appears not to be the case.
For CISOs, the legal waters are still turbulent. The fact that the SEC in the US opted for a personal indictment in addition to one targeting SolarWinds as a whole shows that they can be a target. SolarWinds had previously claimed that Brown was a victim, just like the company itself. A spokesperson for the company told The Register: “We hope this resolution eases the concerns many CISOs have voiced about this case and the potential chilling effect it threatened to impose on their work.”
Threats everywhere
Securing an IT infrastructure is more difficult than ever, as every expert seems to agree. Software supply chains are also becoming more complex by the day, and AI appears to be a game changer in simplifying cyberattacks. The hope is to use technology (perhaps with AI) to avert the dangers without security noise and blind spots, for which companies hire CISOs to lead. However, that process is much more difficult to handle when the threat is also legal in nature. Of course, CISOs should be expected to bear their responsibility, just as CEOs do for the entire company, CFOs for finances, etc. But the precedent for this specific role has not yet been set. Not even today, for that matter: a court ruling is still pending because the case has been discontinued. Nevertheless, the rejected claims of July 2024 may already have had a positive effect from the CISO’s perspective. A subsequent case may provide a definitive answer.
Read also: Rise of AI transforms CISO’s role: from technical to strategic input