Scott Schober, Cyber Expert, Author, and CEO of Berkeley Varitronics Systems, sits down with Cybercrime Magazine's host, Heather Engel, to discuss the US Securities and Exchange Commission's case against SolarWinds. The podcast can be listened to in its entirety below.
Q: Joining us today is Scott Schober, Cyber Expert, CEO of Berkeley Veritronic Systems, and author of the popular book Hacked Again in Senior Cyber.
Scott, welcome to the podcast.
A: Hey, great to be here with you, Heather.
Q: Today, we're talking about the recent case against SolarWinds. So late last month, the U.S. Securities and Exchange Commission on Monday sued Software Company Solarwinds and Timothy Brown, the Chief Information Security Officer, saying Solarwinds defrauded investors by hiding cybersecurity weaknesses during a massive hack that targeted the U.S. Government.
So Scott, can you provide us with a little background on the SEC's case against SolarWinds?
A: Yeah, sure. I call this kind of like a landmark one because it kind of sets a precedent, the way I view this. If you look what happened here, SolarWinds, it affects thousands of different companies that are using their software, and what they kind of revealed here is that there was a lot of misstatements, I guess, about their cyber security practices, some of their descriptions regarding the breach were not really clear. They didn't have internal controls in place to properly safeguard the assets and things that they were trying to protect. And they didn't really have the proper disclosures in place, either. So for lots of different reasons, the watch with Timothy Brown, I guess they're pretty upset, and they're taking it out on him, certainly, and it is his responsibility overall, as the Chief Information Security Officer.
This goes back to 2020, really, when we started to first learn about SolarWinds and this giant breach and how widely encompassed this entire thing was that now we're starting to find out some of the little details as this fallout starts to happen here, and I think we're going to learn a lot of things from this going forward. When we see about the responsibility down the chain within an organization that you gotta really be truthful and transparent as things start to unfold. And we're learning that this clearly was not the case in the SolarWinds breach.
Q: So this case brought by the SEC isn't so much about suing SolarWinds for getting hacked. It alleges that the picture SolarWinds painted for their investors was inaccurate, and the case cited known risks and vulnerabilities that weren't disclosed. This reminds me a little bit of the Uber case, where Uber’s Security Chief was convicted of covering up a data breach. What message does the case against Timothy Brown send to CISOs?
A: To me, again, and to your point, which is a great analogy there. The Uber scenario was a debacle, and I believe with that one, they kind of did a little cover-up and said, “Hey, this was really a bug bounty here,” and it misled investors, and it misled shareholders, and it really did affect the bottom line of the company, and it affected what people do as far as the brand and buying and investing into a company. And the same thing here, is true, with SolarWinds.
It sends the message that CISOs have to be transparent. They have to come clean and tell their shareholders and their board and their stakeholders what's going on. “Hey. We were breached. Here's what happened, here's the mistakes that we made, and here's what we're gonna do to prevent it from happening again.” And in a sense, there was a lot of little things that probably added up to one big thing. It's the risks that were there, and there were vulnerabilities, some known and some unknown, that just were not brought out to everybody and shared. So I think just sharing is an important part.
I look back on many breaches, as you mentioned Uber, but you go back 2013 even to Target. Look what happened in the beginning there. That was one of the biggest landmark cases for credit cards, and when they weren't fully transparent, it was a disaster for the brand. It took over 2 years just to come clean. Same thing here. It's going to take time, but the quicker you come out with what happened, the better chance you have to rebuild trust and to maintain a brand.
Q: I've seen a lot of discussion on message boards and things where CISOs are having conversations about what this means for them and how they'll do their job differently in the future.
A: Definitely, it's going to affect the future for many people. And I think again, it's something that people will always go back to. We'll be reading about this, I think, in years to come, and it will be brought up. In some ways, it's good in the sense that it reminds us where mistakes are made. We can all learn from it. How can we do a better job so we don't keep repeating this again and again in giving cybercriminals the upper hand.
Q: Well, as of September this year, the SEC has new rules that require publicly traded companies to report breaches to the agency within four days of determining that an incident may have a material impact on the company. So that, again, leaves a little bit of room for interpretation. But we know that data breach cases are complex, and working through incident responses varies much dependent on circumstances. So when does an executive team have the responsibility to notify their investors in a situation like this?
A: As I said before, it's important to do it as soon as possible and be transparent, but at the same time, you don't want to get ahead of yourself. If you don't have the proper review of all the information, you can't really put it out there to the public and share with your shareholders what happened until you know what happened. So sometimes you have to be careful. You need to give them a date, and it has to be relatively quickly.
Four days may be a little bit quick, but it's a good goalpost, let's say. May take a little bit longer and more complex cases, depending upon the size of the network, the number of parties, how things happen, what was taken, if it's Federal investigation is a big part of it, because now you're dependent upon law enforcement also. So it's hard to put a line in the sand and say it has to be done in four days, but I think it's a good starting point so it doesn't drag out. Here we are talking about this some 3-4 years later, after the breach. So that's too long. That's too long to be learning these type of things after a deep investigation happens, and a lot of the damage is already done. So yeah, I applaud the SEC for implementing some rules that will push publicly traded companies to step forward and do things and keep it as tight as possible, I guess.
Q: Yeah. And you know, if I'm a CISO and I'm looking at my incident response plan, one of the things that I'm doing is creating some sort of matrix that says, “This is how we've determined that this does or doesn't have a material impact on the company so that I can start that timer and do the reporting properly within the 4 days.” Cause you're right. That is a really short amount of time.
Well, Scott, any final thoughts on this case and what it means for data security in general?
A: Again, I think it just kind of helps us all step back from this and give pause for thought. In this particular case, a lot of the allegations were about misleading investors about cyber security practices and failing to disclose these known risks that have serious implications, and it does affect CISOs across many different industries. So I think it's a good wake-up call for all CISOs to make sure that not just that they're being transparent and sharing information, but also that they're being proactive.
When you're being proactive internally and reinforcing your defenses, and you're educating throughout the industry, when you're sharing information up and down the food chain within an organization, it's going to allow you to build a robust cyber plan and minimize the risks and see what those vulnerabilities are, so they can be patched up and work together as a team with an organization. I think otherwise, what's going to start to happen is we're going to see a mass exodus, and we're going to be losing a lot of great quality CISOs that are doing some amazing things out there for organizations. We don't want to burn them out. And there's already that kind of burnout starting to happen as they're hopping from industry to industry, getting out of cyber security. We don't want that to happen. We need good people to fight this battle and keep it up.
Q: Well, Scott, thank you for joining us on the podcast today.
A: Thanks. So much for having me.
For more information on how your organization can understand and ensure compliance with the SEC’s ruling, see Cimcor’s newest brief, Navigating the SEC’s Cybersecurity Disclosure Rules.
November 21, 2023