Updated: Nov 9
The SEC lawsuit against the CISO of SolarWinds will likely have far-reaching implications for board members and the C Suite of public companies, CISOs themselves, and even how organizations use security tools. First, this lawsuit is a big wake-up call for board members and the C Suite of public companies. It underscores the SEC’s readiness to hold companies and their top executives accountable for failing to disclose known cybersecurity risks. This case serves as a stark reminder that cybersecurity is not just an IT issue but a significant business risk that warrants attention at the highest levels of corporate governance. For board members and the C Suite, they must prioritize cybersecurity, invest in necessary infrastructure, and foster a culture of transparency and accountability in managing cyber risks. The potential legal and reputational consequences of neglecting these responsibilities are too significant to ignore.
For CISOs themselves, the SEC lawsuit signals a regulatory shift where CISOs can be held personally accountable for failing to disclose known cybersecurity risks. As a result, CISOs are now seeking to insulate themselves from potential liability during job negotiations. They increasingly ask for personal protection measures typically reserved for top executives, such as severance agreements and directors' and officers' insurance. This case serves as a stark reminder for CISOs about their role in managing cyber risks, the need for vigilance in maintaining cybersecurity standards and practices, and the significance of negotiating strong personal support measures during job offers.
Another interesting implication of the lawsuit is that it could change how security teams use security tools, especially those that improve an organization’s security posture. Solutions in this domain include cloud security posture management (CSPM), data security posture management (DSPM), and a new addition to the space, identity security posture management.
Security teams could become more wary of solutions that uncover exposures, misconfigurations, and vulnerabilities but do not prioritize these issues based on their risk to the business and, more importantly, do not provide an easy way to remediate discovered issues.
AuthMind has kept this front and center as we developed our identity SecOps platform. Our approach to identity security posture management is to provide complete visibility to human and machine access flows to assets, whether they are SaaS applications or deployed in the cloud or on-premises. This includes shadow identities not managed by the central IT and security team, unmanaged assets, and even unmanaged security tools like shadow directories. And the need for this visibility is only going to increase. According to Gartner, by 2027, 75% of employees will acquire, modify, or create technology outside IT’s visibility, from 41% in 2022.
AuthMind doesn’t only provide visibility. The platform also prioritizes which issues to address based on the risk level (critical, high, and medium) and can easily integrate with other systems, such as CMDBs (configuration management databases), for additional context. The platform also provides extensive guidance on best practices to address identity security posture issues, such as lack of MFA, usage of risky credentials, and managing unauthorized access.
Comprehensive visibility and maintaining a proactive posture are essential in light of the SEC’s actions because even though its legal efforts stem from what it called “egregious misconduct,” the potential slippery slope exists. Where’s the line drawn? No one knows for sure.
So, where does this put CISOs? Their responsibilities will get more eyeballs, and C-suites don’t have much choice but to firmly cement their process for improving their overall security posture. To get that done, identity security posture management solutions like AuthMind will likely emerge as a cornerstone tool for CISOs and their teams alongside CSPM and DSPM.