<p>”Anything you say can and will be used against you.”</p>
<p>As the first CISO personally indicted in a civil lawsuit, Tim Brown knows all about how what he and his colleagues said — be it industry language or benign jokes — could be used against him and his company, SolarWinds.</p>
<p>Brown was the CISO at SolarWinds when the <a href=”https://www.techtarget.com/searchsecurity/news/252493603/SolarWinds-backdoor-used-in-nation-state-cyber-attacks”>infamous 2020 supply chain attack</a> occurred. Nation-state hackers had injected malicious code into SolarWinds Orion updates, enabling them to infiltrate thousands of organizations worldwide, including government agencies and private companies, and conduct cyberespionage.</p>
<p>What ensued was not only what is widely considered the first large-scale, highly sophisticated supply chain attack executed through a trusted vendor, but also a data discovery and interrogation by the SEC unlike any Brown had ever imagined, given he knew he had nothing to hide.</p>
<p>In October 2023, SolarWinds and Brown were <a href=”https://www.techtarget.com/searchsecurity/news/366557697/SEC-charges-SolarWinds-for-security-failures-fraud”>charged with fraud</a> for misleading investors regarding cybersecurity risks and internal control failures. After a five-year process, the charges against the company and Brown were ultimately <a target=”_blank” href=”https://www.cybersecuritydive.com/news/sec-drops-civil-fraud-case-solarwinds/806126/” rel=”noopener”>dropped</a>, but not before Brown learned some eye-opening lessons about communications, interpretations and what truly can and will be used against you.</p>
<section class=”section main-article-chapter” data-menu-title=”Don’t share too much”>
<h2 class=”section-title”><i class=”icon” data-icon=”1″></i>Don’t share too much</h2>
<p>In the days and months following the 2020 breach, Brown shared more details with the public than many companies might. During an RSAC 2026 Conference presentation, Brown, currently general partner and CISO in residence at venture group Team8, admitted that the safest move — at least in terms of his own liability — would have been to stay silent. But, given public scrutiny of the incident, that would probably have put the company out of business.</p>
<p>”We got into a rhythm of sharing and sharing and sharing, and it really helped our process,” Brown said. He explained that it enabled the company to <a href=”https://www.techtarget.com/searchsecurity/feature/What-executives-must-know-about-nation-state-threat-actors”>educate the industry about nation-state attacks</a> and their tactics, as well as to share the steps it was taking to build cyber resilience.</p>
<p>But sharing too much isn’t always a good thing. According to Brown, his openness was a driving factor in the SEC’s investigation — in which it seized SolarWinds’ internal records, devices and communications — and led to his and the company’s ultimate indictment.</p>
</section>
<section class=”section main-article-chapter” data-menu-title=”Watch what you say”>
<h2 class=”section-title”><i class=”icon” data-icon=”1″></i>Watch what you say</h2>
<p>The first year of the investigation, the SEC collected data to build a case. It gathered company communications and emails, and asked Brown for information from his phone, including WhatsApp and Signal messages.</p>
<p>”One of my naïve beliefs at the beginning was somebody was looking for the truth,” Brown said. But, he added, he soon found out that no one was looking for the truth, they were searching for enough information to bring a compelling case to the enforcement division.</p>
<p>During the investigation-gathering and investigation phases, Brown was struck by which types of communications were called into question.</p>
<p>For one, industry knowledge was misunderstood. Emails among him and the CTO and CIO often used “continuous improvement,” for example — a well-known phrase in the IT industry. The SEC questioned how they could possibly be “continuously improving.”</p>
<p>The SEC also asked why the company had an <a href=”https://www.techtarget.com/searchsecurity/opinion/How-to-plan-an-IAM-program-strategy”>identity program</a> that lasted multiple years. As any CISO knows, identity programs are ongoing initiatives that only grow and evolve — they never “end.” Brown said he was asked if he was incompetent.</p>
<p>”Normal operating procedures became proof, from [the SEC’s] perspective, of negligence,” Brown said. He cited an internal audit report that found five incidents of misconfigured access controls. According to the SEC complaints, this was a “systemic issue” — despite the audit also re
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: