I think the key here is that SolarWinds' C-staff deliberately downplayed the severity of the attack, and were very late in informing customers and regulatory agencies of the severity of the attack.
I.e. they are being prosecuted not because they were "incompetent and got hacked", but that they then "tried to cover it up", which is where the SEC comes in (illegal stock manipulation via false or incomplete release of public information).
The more these happen, the more likely it'll be that the role of CISO will need to be compensated commensurate to risk.
And report up to the CEO.
But it also depends on the nature of the action that's about to come down. My guess is something to do with misrepresentation of Solarwinds' security posture.
CISO needs to report to either chief risk officer (edit: who reports to the board) or the board directly imho. Anyone else (CXO) has incentive to apply pressure at odds with the role, or not take compliance requirements or regimes seriously. Checks and balances.
> CISO needs to report to either chief risk officer (edit: who reports to the board) or the board directly imho.
I mean, this is all company bylaws, you can't seriously legislate this. But in any case, C-execs do have skin in the game (particularly if investigated by the SEC). They're usually insulated, but if non-compliant (or grossly negligent), directors can be personally liable.
Comments like these implicitly deny the existence of heavily regulated industries.
When refusal to take cybersecurity seriously results in 1/3 of Americans losing their identity or when refusal to take cybersecurity seriously results in what happened to solarwinds they should be subjected to a regulatory scheme that will enforce seriousness.
As far as societal problems go by far the biggest is the need for people to only consume entertainment because then they start using it as an argument. It was funny enough when people were using Jon Stewart. It was bad enough when people started using John Oliver. But Mitchell and Webb? Really?
The BBC period costume drama image of posh characters referencing the classics makes that look more respectable, but I'm not sure how different was that in practice to the modern day, say, barrage of obvious reaction "meme" images to a Tweet.
Agreed, but this is in large part a function of how things are enforced. The lack of real accountability (especially at the executive level) related to the spirit of the law/regulations is how these things just turn into box ticking exercises.
If you think those checkboxes aren't actively serving a purpose then ... there's nothing really to say against such ignorance except to inform you youry wrong.
> results in 1/3 of Americans losing their identity
Just because enough identifying information about me had been leaked where people could potentially use it to impersonate me, does not mean that I stop knowing who I am.
There should definitely be a government inspector general empowered to poke around.
SolarWinds was a sophisticated operation, but there are a ton of security orgs for very important companies that are just inept, underfunded, or both. And absent mandated ability to inspect, they're not going to get the harsh spotlight of "unfuck this now" they deserve.
Typically the company would always have its own in-house compliance organization and executive, even if there is extensive, on-site federal regulation (like banking sector). So that would probably look like the company having its own CISO, but some of the technical decisions/changes being approved by or required by a regulatory agency.
CISO's are often hired for the purpose of having an executive head to cut. They'll commonly report to the CIO, but have c-suite titles or employee designations (at-will in some states). It's a stressful position with a lot of legal responsibility and little organizational influence and authority.
I mean as "selling a quarter billion dollars of stock before publicly disclosing the cyber crime of the century that you likely knew about for quite some time" is less "anything" and more "trading on material non public information."
Ha! On this, I will blame the bad reporting, then. This story seems to focus on response to a security event. Do you have a pointer to the trades that are in question?
Edit: Notably, where did you get that quote? I'm not seeing it in this story.
Understood, is not news I would typically follow, so unknown to me. Thanks for link to another source!
As with most answers, this one comes with questions of its own. If it was that well known and obvious, why did it take so long to move on it? I'm now interested in this topic. :D
No amount of financial cost is sufficient for these kinds of things if you wish to truly prevent them in the future. There needs to be associated criminal charges for the individuals responsible. We are all still suffering from the Equifax breach all these years later and it won't be long before another Enron shows itself and that is simply because there was never any real consequences for the people primarily responsible.
We live in an age of binary reproducible builds and anything worth running is open source.
Windows-centric orgs barely know software from their ass.
If your org is dumb enough to run closed source software for core IT functions, or you run Windows on bare metal, or don't have TPM chips and secure boot enabled, you kinda deserve what you get.
Would mark a major escalation in executive accountability... Still no criminal charges, though.
>“Sunburst was a highly sophisticated and unforeseeable attack that the United States government has said was carried out by a global superpower using novel techniques in a new type of threat that cybersecurity experts had never seen before,” a company spokesperson told Cybersecurity Dive in an emailed statement
From what I can tell, all we know is that the attackers definitely got into their build system (since the trojan was signed), and we know they moved laterally through exploits in various Microsoft products: https://en.wikipedia.org/wiki/2020_United_States_federal_gov...
Haha. I didn't follow it. After a bit of searching I had to laugh. They got owned by the 'hunter2' meme and call it a highly sophisticated and unforeseeable attack.
> Would mark a major escalation in executive accountability... Still no criminal charges, though.
If there was a criminal referral they wouldn’t announce it and any charges would usually sigbificantly trail civil enforcement action, judging from every other SEC civil + DOJ criminal action I’ve seen.
I.e. they are being prosecuted not because they were "incompetent and got hacked", but that they then "tried to cover it up", which is where the SEC comes in (illegal stock manipulation via false or incomplete release of public information).