In 2021, I found myself at DefCon, surrounded by some of the brightest minds in cybersecurity. There was a Policy Panel discussion that day that delved into the question of whether punitive measures should be imposed on organizations following cybersecurity incidents.

As I listened to the panelists and the audience, a thought kept nagging at me: "This is the wrong approach." Fast forward to today, and the recent SEC complaint against SolarWinds CISO only reinforces my belief.

The SolarWinds Case: A Brief Summary

The SEC has charged SolarWinds and its then-Vice President of Security and Architecture with defrauding investors and customers by making materially false statements about the company's cybersecurity practices. These charges came after a massive cyberattack, termed SUNBURST, compromised SolarWinds' Orion software platform, affecting thousands of customers. Read the full complaint here: LINK

The Misguided Focus on Individual Blame

While it's important to hold organizations accountable for their cybersecurity practices, focusing solely on the CISO is misguided. It's entirely possible that the CISO's public comments were made at the directive of the board or other decision-makers within the organization. If we are to improve cybersecurity practices across the board, we need to look at the systemic issues that contribute to these failings, rather than singling out individuals.

The Culture of Blame

The prevailing attitude toward cybersecurity needs to change. We need to move away from a culture of blame and toward one of collective responsibility and improvement. The fear of punitive measures can create an environment where issues are swept under the rug, rather than openly addressed and corrected.

The SEC's intent to foster transparency and accountability in cybersecurity is commendable, but the execution appears to be flawed, especially if only the CISO is being held accountable. This approach risks creating a chilling effect among cybersecurity professionals. If CISOs feel that they alone will bear the brunt of any cybersecurity failures, they may become less willing to disclose vulnerabilities or report incidents, which is counterproductive to the SEC's goal of transparency.

Moreover, cybersecurity is a shared responsibility that extends beyond the CISO to include the board of directors, C-suite executives, and even employees. By focusing solely on the CISO, the SEC may inadvertently absolve other decision-makers of their roles in shaping cybersecurity policy and practice. This could perpetuate a culture where issues are hidden or ignored, rather than transparently addressed and rectified.

In essence, while the SEC's aim to improve transparency is laudable, the narrow focus on the CISO as the accountable party could have unintended consequences that undermine this very goal.

As I sat among hundreds of experts at that DefCon Policy Panel, it became abundantly clear that we need a different approach. Policy has often driven this culture of hiding issues, a tactic that serves no one.

I am fully against the notion of persecuting individuals like the CISO in the SolarWinds case. Only by fostering an environment of transparency and collective learning can we hope to bolster our defenses against the ever-evolving landscape of cyber threats.