Root Causes 315: Will the SEC Sue SolarWinds Executives?

Episode Transcript

Lightly edited for flow and brevity.

• 

  Tim Callan

  So we have an update. A long time ago, we and everybody else in the world talked about the solar winds software supply chain attack, and its sweeping ramifications at the time and there is an update in that one. Is there not?

• 

  Jason Soroko

  It seems to be, Tim. Basically, it looks like the SEC, it sent out what are known as Wells notices to the CFO and the CISO and, that's interesting enough. And what was the date on that, Tim?

• 

  Tim Callan

  That was June 23 of 2023. If you want to find the filing itself, the Wells notice itself, it's not that all that interesting, but if you searched for Form 8k SolarWinds Corporation June 2023, I'm sure it would come up and you can read the original document.

• 

  Jason Soroko

  Right on, Tim. So the thing is as the article sets out to tell the reader, this kind of is a new milestone for liability of CISOs. Look, the elephant in the room, not so much an elephant, we've all heard the saying, CISO stands for something like chief scapegoat officer or something like that. And my goodness, I've known some good CISOs. These are such well-meaning people who do good, good work. And there are also people who've been some of these organizations, and I don't know some of these people personally, but I do know that there has I am not going to call things a cover up. I'm not going to call things what the charges are or what the potential legal liabilities, the things that people are being accused of and in this case, Tim, let's just state it flat out. The reason why a CISO would receive a Wells notice, um, remember that these notices are typically given to the absolute top end of the C-suite.

  CEOs, CFOs and as the article says, quite often it's the absolute worst of the worst. You know, people who are running Ponzi schemes quite literally, which is wild. And in this case, the Wells notices are being handed out to CISOs, I guess, Tim, because of not fully disclosing material information.

• 

  Tim Callan

  So let's make sure that the listeners are on the same page, because I'm not sure that Wells notices are something that everybody is familiar with.

  So basically, if the SEC is interested in actually potentially legally pursuing an individual who is in a leadership position at a corporation, then what it does is it gives them an opportunity to basically lay out their case, and this Wells notice is what that is. They send the Wells notices to the individuals who may be - may be – prosecuted. It doesn't mean there are going to be prosecuted. It certainly doesn't mean that they've been found guilty. But if that's a potential legal action, then the SEC sends this notice, and that individual is given some kind of reasonable opportunity to respond. And so the implication of that is that in addition to obviously, these people all had a very bad day, because Solar Winds was all over the news and will probably be remembered for the rest of its life for that particular episode, and I can only imagine what it cost the company in terms of revenue and customers and certainly brand value and things along those lines. Now, in addition to that, it's at least possible that these individuals are going to face some kind of criminal charges, or a fine or maybe they wouldn't be allowed to something like that. And so this is a big deal.

• 

  Jason Soroko

  What I read into it, Tim, the potential is for the beginnings of civil suit rather than criminal. And also as the article does specify real clearly it is about not being able to serve on a public board of directors. So, that's an important piece.

• 

  Tim Callan

  That would be a big deal.

• 

  Jason Soroko

  Absolutely. But the civil liability is scary enough. And I was watching some tweets go by this weekend on this, Tim, and some of what was said was, geez, all CISOs that are out there, get a lawyer. If you don't have one already, because basically your job becomes a court case. And I don't know if it's to that level, but on the other hand, wow.

• 

  Tim Callan

  So none of us, I mean, not none of us. Some people in the world have, but neither of us and surely probably none of our listeners or almost none of our listeners, were actually inside whenever any of the stuff was going on. So we just see what we read in the news. But at least to one degree is say, gosh, if you're a CISO, or some kind of very senior executive, and you try your darndest, and you do everything you can to get it right, you could get owned anyway.

• 

  Jason Soroko

  Exactly.

• 

  Tim Callan

  That is the world we're in. There are zero days. There are tried and true techniques, like social engineering attacks that are so hard to guard against. There are extremely, extremely powerful bad actors out there, like state sponsored actors. and there's just a lot of ways that very, very, very professional people who are expert and diligent and conscientious and ethical can still lose that fight. And so it's a little scary, if you feel like you might give it your all, you might do everything as well as you possibly can, you might be good at your job, you might leave it all on the field, and still lose, and then all of a sudden, be staring down something like a civil suit. When your career has already been just badly damaged and that just seems like, oh, wow, really? That's a scary idea.

• 

  Jason Soroko

  Tim, if we go all the way back to the Target breach, that I actually was somewhat involved with some of what was going on on the federal government side of making a prosecution response or at least the questions that were going to be asked on the hill of the CFO of target at the time.

  And I remember some of the accusations were around scapegoating of what was the equivalent of their CISO and scapegoating of the IT team and cover ups at the level of the CFO. And what it says to me is that right now, if you're a CSO, and man, we really should have a CISCO on to talk through this because I'm sure that a lot of them have opinions. Really, to me, the heart of it is when you are making your response to a breach, and as you just said, Tim, the potentials for breaches for everybody, they're not zero. They're greater than zero probability. It's just one of these things that it could happen to just about anybody, no matter how well meaning you are, and you really need to absolutely have a plan for how you disclose, when you disclose, because there's legal requirements for that, especially for private companies, but also, in this case, especially for public companies, when this was all about material disclosure for that's why the FCC was involved.

• 

  Tim Callan

  Right, Yep.

• 

  Jason Soroko

  And so in this case, Tim, I can see there being natural pressure in a publicly trusted company in a company that it's just sometimes human nature, where there's pressure from the CFO, pressure from the CEO to say, oh, my God, we can't say that. That might be an honest response, but we can't say that. And then all of a sudden perhaps it used to be – perhaps and I'm not saying this is the truth - but perhaps it used to be CISOs might have thought of themselves as being well, I got to follow what my boss tells me and they're the upper level directors. I won’t be the one going to be sued into the ground. Nope. So I tell you right now, if I'm a CISO, this is my personal opinion, Tim, tear me apart, if you wish.

• 

  Tim Callan

  It's all your personal opinion. That's what we do but go on.

• 

  Jason Soroko

  Personally, if I was a CISO right now, and I received even the slightest pressure from upper, upper brass, don't say that. I'd be like, go to hell. My own personal next on the line now and perhaps - -

• 

  Tim Callan

  But the CISO doesn’t even control that. I mean, ultimately, the public communications of the company are going through mechanisms that the CISO doesn't manage. So unless I'm supposed to go on Twitter and say, hey, I'm whistleblowing my own company, how does the CISO even do that in the event that the group internally, which in this case presumably is what rolled up to the CFO, is the one that handles communications? Now, we don't know the specifics of this case. Maybe in this case, they feel that everybody was collaborating on this. But more generally, if I'm a CISO and I say, no, I'm not going to bless this press release because I don't believe that it's accurate. Or if I say we need to have a press release, and they say, well, we're not going to issue one, I can't issue a press release on behalf of the company. I don't have the capability of doing that.

• 

  Jason Soroko

  Well. As I said, if I'm the CISO right now, I'm saying y'all can go to hell because I got legal responsibilities here.

• 

  Tim Callan

  Right. So maybe I do have to put it on my Twitter or something.

• 

  Jason Soroko

  Maybe. Maybe I gotta get a press agent? I don't know.

• 

  Tim Callan

  Like, call the New York Times. And it is scary. I mean on the one hand, you kind of think like, if you're in this kind of job, if you are a top level security person at a high profile IT security firm, you understand that there's some amount of career risk that's coming with this, you understand that if you go in there, and you're the one that is completely owned, and you're all over the headlines, then you're probably losing your job, and your next job probably isn't as good. And for the rest of your life, you're going to have this thing on your resume that’s going to make people look at you sideways. And understand to some degree, that that's the game you're playing and whether or not it's fair, who gets blamed for that, and who doesn't, at least we all know what we're doing. But I don't think that that person is expecting their own life savings to be in jeopardy. And so that's also I think, a lot of that's where it's alarming. It feels like if the penalty is crossing the line into areas that don't have to do with the job you're doing.

• 

  Jason Soroko

  Correct. Exactly. It is tough right now. And that's why I would love to speak to somebody who is right in the middle of it. But in this case, and this is very specific, this is for CISOs within publicly trusted companies, and CISOs, who might be in an environment that don't have real full backing from all the C-level, high level C-level brass, and if you're in that situation, man rethink what you're doing because it's obvious that the SEC it wants to uncover every stone, and it's now putting pressure directly at the CISO to the point where it's like, wow, these very serious potentials, never mind the Wells notice, it's the reality of what could happen after a Wells notice that we're talking about here. It's just too scary to think about. If you're not in that environment, where you got full support to be thoroughly honest and if you're on the hook to communicate, then you better have that mechanism to communicate and be able to know exactly how and when to do that and not have any kind of like - - again, I’m just repeating myself, if I'm a CISO, nobody is in charge of my communication after that. I am in charge of the communication. Go to hell.

• 

  Tim Callan

  So do you think this has a chilling effect on people, young, bright stars who are very good at computer science and are trying to figure out what to do with their careers? Do you think people see something like this and say, oh, maybe not security? Maybe I'll do something different? Do you think that happens?

• 

  Jason Soroko

  Maybe Tim. But, I've got a lot of faith in the younger folks, that the next crop of CISOs. And I tell you why. Normally, I'm the big cynic in the crowd but I think in this case, I'm the opposite. And tell you why. It’s because really what you need to be doing here as a CISO of a publicly traded company, is you need to be absolutely sure that you've got the mechanisms that are in place to be compliant with material disclosure rules. And if you find, if there's any reason at all that you might have somebody beside you, CEO, CFO, who can put can put undue pressure on you, or you suspect that they would or the culture of the company is such that you know that there is going to be pressure to hide something, and you're going to be asked to be in on it, I think a lot of the younger generation is like, you know what, I won't stand for that. I just am not going to work for a company like that. And I will tell you, if I'm interviewing for a CISO job tomorrow, that is going to be one of my first questions is what is the culture here, and it's going to be the first thing I do for the next three months, six months, two years is probing and making sure people understand I'm a straight shooter, and you can't get in the way of me disclosing the truth.

• 

  Tim Callan

  Right. And there's other roles I think where we see that there's this need, like, if you're the data privacy officer, or you're potentially the head of compliance, if you're Chief Counsel, these are roles where I can imagine people sort of taking that position. Saying, look, there are ways I will operate and there are ways I won't and if we're going to do the second one, then you're just going to do it without me. And perhaps now, but you never thought that the CISO kind of had to be in that kind of position before.

• 

  Jason Soroko

  That’s what’s changed.

• 

  Tim Callan

  But you look at something like this and start to say, wow, gee, I guess maybe they do as well.

• 

  Jason Soroko

  Exactly, Tim. That's what's changed here is that these officers within the company that are under that level of scrutiny now and that level of just frankly liability, especially when you're publicly traded, the CISO is now part of that game clearly, according to the SEC. So there it is.

• 

  Tim Callan

  There it is. Alright, so, big deal. Again, we don't know the details on all of this but if you kind of think of the bigger ramifications, I think this one was a gee whiz.