“Something you say can and will likely be used towards you.”
As the primary CISO personally indicted in a civil lawsuit, Tim Brown is aware of all about how what he and his colleagues mentioned — be it business language or benign jokes — might be used towards him and his firm, SolarWinds.
Brown was the CISO at SolarWinds when the notorious 2020 provide chain assault occurred. Nation-state hackers had injected malicious code into SolarWinds Orion updates, enabling them to infiltrate hundreds of organizations worldwide, together with authorities companies and personal firms, and conduct cyberespionage.
What ensued was not solely what’s extensively thought-about the primary large-scale, extremely refined provide chain assault executed via a trusted vendor, but additionally an information discovery and interrogation by the SEC in contrast to any Brown had ever imagined, given he knew he had nothing to cover.
In October 2023, SolarWinds and Brown have been charged with fraud for deceptive buyers relating to cybersecurity dangers and inside management failures. After a five-year course of, the costs towards the corporate and Brown have been finally dropped, however not earlier than Brown discovered some eye-opening classes about communications, interpretations and what really can and will likely be used towards you.
Do not share an excessive amount of
Within the days and months following the 2020 breach, Brown shared extra particulars with the general public than many firms may. Throughout an RSAC 2026 Convention presentation, Brown, presently basic accomplice and CISO in residence at enterprise group Team8, admitted that the most secure transfer — no less than when it comes to his personal legal responsibility — would have been to remain silent. However, given public scrutiny of the incident, that will most likely have put the corporate out of enterprise.
“We acquired right into a rhythm of sharing and sharing and sharing, and it actually helped our course of,” Brown mentioned. He defined that it enabled the corporate to educate the business about nation-state assaults and their ways, in addition to to share the steps it was taking to construct cyber resilience.
However sharing an excessive amount of is not all the time a very good factor. In line with Brown, his openness was a driving issue within the SEC’s investigation — during which it seized SolarWinds’ inside data, units and communications — and led to his and the corporate’s final indictment.
Watch what you say
The primary 12 months of the investigation, the SEC collected knowledge to construct a case. It gathered firm communications and emails, and requested Brown for data from his telephone, together with WhatsApp and Sign messages.
“One among my naïve beliefs originally was anyone was searching for the reality,” Brown mentioned. However, he added, he quickly came upon that nobody was searching for the reality, they have been trying to find sufficient data to convey a compelling case to the enforcement division.
Through the investigation-gathering and investigation phases, Brown was struck by which sorts of communications have been known as into query.
For one, business information was misunderstood. Emails amongst him and the CTO and CIO typically used “steady enchancment,” for instance — a well known phrase within the IT business. The SEC questioned how they might probably be “constantly bettering.”
The SEC additionally requested why the corporate had an identification program that lasted a number of years. As any CISO is aware of, identification applications are ongoing initiatives that solely develop and evolve — they by no means “finish.” Brown mentioned he was requested if he was incompetent.
“Regular working procedures grew to become proof, from [the SEC’s] perspective, of negligence,” Brown mentioned. He cited an inside audit report that discovered 5 incidents of misconfigured entry controls. In line with the SEC complaints, this was a “systemic situation” — regardless of the audit additionally reporting that the corporate had 30,000 correctly configured entry management data, and that it caught these 5 misconfigurations.
On the time, Brown tried to clarify himself to the SEC — which he mentioned solely led to additional issues.
“One of many errors I made throughout our first preliminary interviews and information-collecting by SEC coverage people was that I attempted to show them what software program engineering was, what a safety workforce does, what the method was — they accused us of collusion,” he mentioned.
One other factor that alarmed Brown through the investigation was how some communications have been taken out of context — an issue most organizations do not handle in communications or safety insurance policies. Loads of inside communications warrant investigation and self-discipline — harassment, for instance. However what about an e mail between two safety analysts that claims, “Our safety sucks!”? Everybody has a type of days, and most staff often vent to trusted colleagues. However any message despatched over company channels is topic to subpoena, and in terms of the SEC, these are critical phrases to utter.
“There have been jokes within the deficit, there have been informal conversations over Groups with our employees,” Brown mentioned — communications he would by no means have thought twice about — till now, as a result of the SEC additionally thought-about these jokes to be collusion.
Studying from the previous
Brown mentioned he believes the SEC was utilizing the SolarWinds breach as a lesson for different organizations.
“The place I give the SEC a bit little bit of grace — sooner or later we’ll determine whether or not it is true — is I consider that they have been searching for a case that will be public sufficient, that will be capable of put CISOs on discover, put safety groups on discover, and put government groups and boards on discover that safety is necessary and you ought to be speaking about safety extra throughout the exec workforce, throughout the board — or else you are being negligent,” Brown mentioned. “They cannot create legal guidelines, however they’ll create precedents by enforcement.”
A lesson Brown needs individuals to take from his expertise is that whereas no CISO or group needs to restrict what its staff say, inside purpose, below many laws they’ve the precise to, particularly when these communications happen utilizing firm property.
“I by no means noticed it mentioned, ‘Bear in mind that the language you are utilizing inside a message might be checked out in a important manner,'” Brown mentioned. “We did not stress the thought of discovery and e mail getting used towards you or Groups getting used towards you.”
Brown and his RSAC co-presenter Ira Winkler, CISO and vice chairman at publicity administration platform vendor CYE, shared the next recommendation to assist CISOs and their organizations put controls in place to handle this lesson:
- Put it in a coverage. Create paperwork outlining acceptable conduct and communication. Get approval from the CEO down. Outline penalties for noncompliance.
- Have an enforcement coverage and implement it. Implement the coverage justly throughout all staff.
- Educate customers concerning the insurance policies. Guarantee staff perceive the coverage. Embrace what the coverage entails and the way it’s enforced. For instance, clarify the invention course of, together with e mail tracing and scraping.
- Adhere to laws. Observe the suitable and required business, nationwide and worldwide laws, in addition to privateness legal guidelines, knowledge safety legal guidelines and knowledge retention legal guidelines.
- Encourage self-reporting. Create nameless reporting capabilities for inside and exterior communications channels.
- Implement monitoring for inside channels. Implement just-in-time coaching and monitor all attainable channels, together with e mail and collaboration platforms.
Organizations ought to prioritize conversations about communications, interpretations and context, Brown mentioned, and guarantee all staff are knowledgeable and perceive the scenario clearly.
“In the event you’re not excited about it, you do not wish to be the subsequent Tim Brown — no offense,” Winkler mentioned.
Sharon Shea is government editor of TechTarget Safety.
