SEC vs SolarWinds: The CISO is not an Island

PR teams, CISOs, and executives of publicly-traded companies, take note: the implications of the Southern District of New York dismissing some charges against SolarWinds and their CISO are nuanced, and the story is far from over. Already, the saga includes lessons about regulatory requirements, management functions, and responsibility for external messaging. But all of it points to working closely with your management team and being very careful what you say in what context about your company’s security posture.

When the U.S. Securities and Exchange Commission (SEC) sued not just SolarWinds, but their CISO, personally, I was worried. The suit teed up multiple conflicts of interest with the biggest catching the CISO right in the middle.

Publicly traded companies are required by law to periodically file certain reports with the SEC. These reports must include certain statements about how the company identifies and addresses risk, including cybersecurity risk. In short, companies are obligated to periodically make public statements about how it approaches cybersecurity risk. Who makes these statements? Or, more importantly, who is responsible for the content of these statements?

For statements about cybersecurity risk, the casual and easy answer (and the answer the SEC suit would have had you believe) is the CISO. But that makes less and less sense the more you look at the picture. Because in this context, we are talking about who is legally responsible for the statement’s accuracy if it might influence investor decisions. Is the CISO responsible because they draft the statement? What if a member of the InfoSec team does the actual writing? Or someone from Public Relations?

Ok, ok… but the CISO has authority over the InfoSec program. So, wouldn't they have to sign off on whatever is written? Probably yes, and in any reasonably functional management team, definitely yes. But this brings us to the to the heart of the matter…

The CISO is only one member of the management team. And it is the management team that is responsible for running the company. Importantly, this includes any and all public messaging, such as reports filed with the SEC.

Point at hand: I struggle to imagine a CISO at a publicly traded company drafting a statement for a mandatory SEC filing without going through several layers of review. At the very least, Law, Investor Relations, and Corporate Communications are going to bring their perspectives, not to mention the people in the CISO's management chain such as the CIO, CSO, CEO, or any other critical business partner.

CISOs are not an independent entity. They do not and cannot operate in isolation. Yes, the CISO should have a voice and management should not put words in the CISO's mouth. However, it is management's collective responsibility to approve or disapprove of what gets reported outside the organization and how. In short, management as a whole has ultimate authority over any kind of external messaging, whether that be to the Board, potential investors, regulators, the press, or the general public.

The only company officer that even partially breaks this model across the spectrum of publicly-traded companies is the Chief Audit Executive ("CAE" although actual title varies). In order to be effective in reporting on the integrity of company processes, CAEs must report outside of the management chain and directly to the Board. This is still a far cry from issuing unchecked public filings purporting to represent the company. But it is a different dynamic specifically designed to ensure Board access to an independent point of view on the efficacy of management controls.

A select few CISOs report directly to the Board, just like the CAE. But that is by choice of the individual company, and not mandated by any regulation. Hell, I only know of a select few industries with regulations that require companies to even have a CISO, and none that require the CISO to be an actual officer of the company (despite what the "O" in CISO stands for). The SEC suit ignored this distinction and implied CISOs of publicly traded companies are obligated and individually responsible for making accurate public statements about the security posture of their employer.

Specifically, the SEC suing a CISO personally implies they want the CISO to make transparent public statements about company security posture without management review. This would be a disaster on multiple fronts. For most companies this would reveal unfavorable information, likely missing essential context, that could scare investors and provide adversaries with a virtual map of where to attack. Ironically, this could even make the CISO's job harder by causing the stock to go down, thereby reducing overall resources available to the company, including the InfoSec team. Regardless, this is bound to frustrate and possibly embarrass management to the point where the CISO's internal relationships and external career prospects are toast.

Alternatively, the CISO can do the sensible thing and run all external messaging through management. The CISO should make sure the resulting language is technically correct and sign off on the end product. However, we must also recognize that management review will shape the message, likely in ways intended to reduce the risk of unnecessarily scaring investors. This is the proper function of an integrated management team. It also keeps the rest of management from being mad about the CISO dropping their drawers in public and should even provide adversaries with less tangible information to go on. But as evidenced by the SolarWinds case, it also puts the CISO at risk of being sued by the SEC (or possibly even going to prison) if the SEC demonstrates the language was incomplete, inaccurate, or misleading enough to cause harm.

Career suicide or prison? Hmm… this isn't sounding like the dream job I once thought it was.

On the surface, the CISO reporting directly to the Board and having the same kind of independence as the CAE sounds like it could have some merit. However, this is not the same thing as the CISO providing unfiltered public filings. Further, there is no cultural expectation for CISOs to operate this way, and a broad expectation of this kind of relationship would beg a myriad of questions - including how the CISO can realistically collaborate and get their job done if they are seen as more auditor than partner, not to mention complications in managing the relationship between the CISO and the CAE.

Fortunately, the court of the Southern District of New York seemed to recognize the CISO should not be thrust into an even more exposed position than the CAE. Specifically, the court did not see the CISO as being individually responsible for providing an unfiltered and unmanaged view of the org to external entities - at least not without considerably more legislative guidance. And so, as of today, the CISO may not be held personally liable for company statements about security posture in public filings required by regulation.

Unfortunately, the court drew just about the tightest line imaginable around company statements in public filings. Any statement made voluntarily and outside of required regulatory filings is still fair game. The charges that were NOT dropped are related to public statements made outside of required regulatory filings and tangible enough to be questioned by the public in the wake of a substantive security incident. The tangibility is important, because the statement then becomes more of a claim and could be more convincing to investors. When combined with a substantive security incident that prompts people to question the claim, it can expose the company to discovery of relevant evidence in internal communications, including all the trash talk that was never intended for prime time.

Bottom line: CISOs need to function as a fully integrated member of the corporate management team. If you're going to open your mouth about the security of your company, don't go it alone. You need to be in complete sync with the rest of management. While meaningless, politician-level "non-actionable puffery" may feel worthless to your technical core, it also just might be what keeps you out of jail. Because if you're going to say anything tangible, you'd better be telling a truth you can back up with hard evidence. And in today's world, provable truths feel mighty hard to come by…