SolarWinds CISO Tim Brown and CFO Bart Kalsu have received Securities and Exchange Commission notices of potential enforcement action over alleged violation of securities laws [2]. This is related to their response to the Russian hack of the Orion network monitoring software in 2020 [2].


Brown discusses the company’s experience during the cyberattack [1], emphasizing the sophistication of the attackers and the challenges faced by private companies in defending against a nation-state attack. He describes the intense and chaotic moments following the breach [1], with the company working around the clock to investigate and respond [1]. Brown also highlights the importance of communication with employees during such incidents [1]. The incident has prompted many companies to reevaluate their security programs and budgets [1]. In another case [2], former Uber chief security officer Joe Sullivan was sentenced to probation and fined for covering up a data breach [2]. Carlos Abarca [2], the former chief information officer of TSB Bank [2], was fined for operational resilience failings [2]. These cases highlight the increasing responsibility and scrutiny faced by chief information security officers [2]. The summary also mentions the concerns of CISOs and suggests crisis communication drills and defining role responsibilities to mitigate liability risks [2].


These incidents involving SolarWinds, Uber [2], and TSB Bank underscore the growing responsibility and scrutiny faced by chief information security officers. The impact of the Russian hack on SolarWinds has led to a reevaluation of security programs and budgets across many companies. The cases of Joe Sullivan and Carlos Abarca serve as reminders of the consequences of covering up data breaches and operational resilience failings. Moving forward, it is crucial for organizations to prioritize effective crisis communication and clearly define role responsibilities to mitigate liability risks.