“Something you say can and can be used towards you.”
As the primary CISO personally indicted in a civil lawsuit, Tim Brown is aware of all about how what he and his colleagues stated — be it business language or benign jokes — might be used towards him and his firm, SolarWinds.
Brown was the CISO at SolarWinds when the notorious 2020 provide chain assault occurred. Nation-state hackers had injected malicious code into SolarWinds Orion updates, enabling them to infiltrate 1000’s of organizations worldwide, together with authorities companies and personal firms, and conduct cyberespionage.
What ensued was not solely what’s broadly thought of the primary large-scale, extremely subtle provide chain assault executed by way of a trusted vendor, but in addition a knowledge discovery and interrogation by the SEC not like any Brown had ever imagined, given he knew he had nothing to cover.
In October 2023, SolarWinds and Brown had been charged with fraud for deceptive buyers concerning cybersecurity dangers and inside management failures. After a five-year course of, the costs towards the corporate and Brown had been in the end dropped, however not earlier than Brown discovered some eye-opening classes about communications, interpretations and what actually can and can be used towards you.
Do not share an excessive amount of
Within the days and months following the 2020 breach, Brown shared extra particulars with the general public than many firms may. Throughout an RSAC 2026 Convention presentation, Brown, at the moment normal associate and CISO in residence at enterprise group Team8, admitted that the most secure transfer — no less than when it comes to his personal legal responsibility — would have been to remain silent. However, given public scrutiny of the incident, that might in all probability have put the corporate out of enterprise.
“We obtained right into a rhythm of sharing and sharing and sharing, and it actually helped our course of,” Brown stated. He defined that it enabled the corporate to educate the business about nation-state assaults and their techniques, in addition to to share the steps it was taking to construct cyber resilience.
However sharing an excessive amount of is not all the time an excellent factor. In line with Brown, his openness was a driving issue within the SEC’s investigation — wherein it seized SolarWinds’ inside information, gadgets and communications — and led to his and the corporate’s final indictment.
Watch what you say
The primary yr of the investigation, the SEC collected knowledge to construct a case. It gathered firm communications and emails, and requested Brown for data from his telephone, together with WhatsApp and Sign messages.
“One in every of my naΓ―ve beliefs firstly was any individual was searching for the reality,” Brown stated. However, he added, he quickly discovered that nobody was searching for the reality, they had been trying to find sufficient data to convey a compelling case to the enforcement division.
In the course of the investigation-gathering and investigation phases, Brown was struck by which sorts of communications had been referred to as into query.
For one, business data was misunderstood. Emails amongst him and the CTO and CIO typically used “steady enchancment,” for instance — a widely known phrase within the IT business. The SEC questioned how they may presumably be “constantly enhancing.”
The SEC additionally requested why the corporate had an identification program that lasted a number of years. As any CISO is aware of, identification packages are ongoing initiatives that solely develop and evolve — they by no means “finish.” Brown stated he was requested if he was incompetent.
“Regular working procedures turned proof, from [the SEC’s] perspective, of negligence,” Brown stated. He cited an inside audit report that discovered 5 incidents of misconfigured entry controls. In line with the SEC complaints, this was a “systemic concern” — regardless of the audit additionally reporting that the corporate had 30,000 correctly configured entry management information, and that it caught these 5 misconfigurations.
On the time, Brown tried to elucidate himself to the SEC — which he stated solely led to additional issues.
“One of many errors I made throughout our first preliminary interviews and information-collecting by SEC coverage of us was that I attempted to show them what software program engineering was, what a safety crew does, what the method was — they accused us of collusion,” he stated.
One other factor that alarmed Brown in the course of the investigation was how some communications had been taken out of context — an issue most organizations do not handle in communications or safety insurance policies. Loads of inside communications warrant investigation and self-discipline — harassment, for instance. However what about an electronic mail between two safety analysts that claims, “Our safety sucks!”? Everybody has a type of days, and most workers often vent to trusted colleagues. However any message despatched over company channels is topic to subpoena, and in terms of the SEC, these are severe phrases to utter.
“There have been jokes within the deficit, there have been informal conversations over Groups with our staff,” Brown stated — communications he would by no means have thought twice about — till now, as a result of the SEC additionally thought of these jokes to be collusion.
Studying from the previous
Brown stated he believes the SEC was utilizing the SolarWinds breach as a lesson for different organizations.
“The place I give the SEC just a little little bit of grace — in the future we’ll work out whether or not it is true — is I consider that they had been searching for a case that might be public sufficient, that might have the ability to put CISOs on discover, put safety groups on discover, and put govt groups and boards on discover that safety is vital and you have to be speaking about safety extra inside the exec crew, inside the board — or else you are being negligent,” Brown stated. “They cannot create legal guidelines, however they’ll create precedents by enforcement.”
A lesson Brown desires individuals to take from his expertise is that whereas no CISO or group desires to restrict what its workers say, inside cause, underneath many laws they’ve the suitable to, particularly when these communications happen utilizing firm property.
“I by no means noticed it stated, ‘Remember that the language you are utilizing inside a message might be checked out in a essential manner,'” Brown stated. “We did not stress the concept of discovery and electronic mail getting used towards you or Groups getting used towards you.”
Brown and his RSAC co-presenter Ira Winkler, CISO and vp at publicity administration platform vendor CYE, shared the next recommendation to assist CISOs and their organizations put controls in place to deal with this lesson:
- Put it in a coverage. Create paperwork outlining applicable conduct and communication. Get approval from the CEO down. Outline penalties for noncompliance.
- Have an enforcement coverage and implement it. Implement the coverage justly throughout all workers.
- Educate customers in regards to the insurance policies. Guarantee workers perceive the coverage. Embody what the coverage entails and the way it’s enforced. For instance, clarify the invention course of, together with electronic mail tracing and scraping.
- Adhere to laws. Observe the suitable and required business, nationwide and worldwide laws, in addition to privateness legal guidelines, knowledge safety legal guidelines and knowledge retention legal guidelines.
- Encourage self-reporting. Create nameless reporting capabilities for inside and exterior communications channels.
- Implement monitoring for inside channels. Implement just-in-time coaching and monitor all attainable channels, together with electronic mail and collaboration platforms.
Organizations ought to prioritize conversations about communications, interpretations and context, Brown stated, and guarantee all workers are knowledgeable and perceive the scenario clearly.
“In case you’re not fascinated with it, you do not wish to be the subsequent Tim Brown — no offense,” Winkler stated.
Sharon Shea is govt editor of TechTarget Safety.
