The US Securities and Exchange Commission’s Nov. 30 decision to dismiss its lawsuit against SolarWinds and its CISO, Tim Brown, was met with immediate and widespread joy across the cybersecurity leadership community.
For many CISOs, the dismissal landed not as an abstract legal development, but as something deeply personal. “Thank God,” Gadi Evron, CEO and founder of Knostic and CISO in Residence for AI at the Cloud Security Alliance, said when he learned of the dismissal. “People are feeling relieved, and there is a sense of community and celebrating together,” he tells CSO.
“I breathed a sigh of relief,” Diana Kelley, CISO of Noma Security, tells CSO. After five years of investigation, litigation, and public scrutiny, “I think a lot of CISOs [let out a collective exhale] around this case,” she adds.
That collective sense of relief, however, should not be mistaken for closure. Experts emphasize that the case did not erase the personal and professional risks of being a CISO, nor did it resolve the deeper structural tension it exposed. Security leaders are still held publicly accountable for cyber failures while lacking full authority over budgets, disclosures, and enterprise risk decisions.
Even though the SolarWinds case sparked a deeper recognition that cybersecurity responsibility should be a shared responsibility across enterprises, shifting policy priorities and future administrations could once again put CISOs in the SEC’s crosshairs, they warn.
In the meantime, the legal saga of Tim Brown — along with the federal conviction of former Uber CISO Joe Sullivan in 2022 — highlights critical steps CISOs can take to protect themselves and their organizations before any similar litigation arises in the future.
Overview of the case: From Russian hackers to dismissal
To understand why the SolarWinds case sent such a chill through the CISO community, and why its dismissal matters, a recap of how the breach unfolded and how the SEC framed its claims is useful.
Beginning in 2019 and continuing through November 2020, threat actors — widely believed to be the threat group known as APT20 or Cozy Bear, part of Russia’s foreign intelligence service or SVR — compromised the Orion IT management solution sold by SolarWinds by inserting malicious code into a legitimate software update.
Using malware called SUNBURST, the attackers installed a backdoor that affected roughly 18,000 customers, although a much smaller subset was selectively exploited, including multiple US government agencies and major companies.
Years after the technical compromise itself, the fallout took a more personal turn. Amid a streak of other publicly alarming, high-profile breaches in the US, on Oct. 30, 2023, the US Securities and Exchange Commission filed a civil action against SolarWinds and — to the shock of many — its CISO, Brown, alleging fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities.
The lawsuit claimed that SolarWinds and Brown defrauded investors by overstating SolarWinds’ cybersecurity practices and understating or failing to disclose known risks. On July 18, 2024, federal judge Paul Engelmayer dismissed most of the lawsuit’s claims.
“He basically dismissed all the charges in terms of post-incident activity and said it is easy to be a Monday morning quarterback, but you’re going to have to prove that they really did something intentionally misleading,” Sullivan, who is also a former federal prosecutor and is now CEO of Joe Sullivan Security, tells CSO.
The remaining claims focused on Brown and the degree to which cybersecurity statements posted on SolarWinds’ website before the incident were appropriate in terms of advising customers of their risks. “The judge really focused on that one publication on the company’s website that went into some specificity about what the company does from a cybersecurity perspective and got frankly fairly granular as far as these things go,” Cara Peterman, partner with Alston & Bird’s Securities Litigation Group, tells CSO.
The judge’s reasoning reassured many security leaders, but it also exposed a more profound discomfort about how accountability is assigned inside modern organizations. “The area that a lot of us were really uncomfortable about was the idea that an operational head of security could be personally responsible for what the company says about its cybersecurity investments,” Sullivan says.
He adds, “Tim didn’t have the CISO title before the incident. And so there was just a lot there that made security people very concerned. Why is this operational person on the hook for representations?”
But even if he had had the CISO role before the incident, the argument still holds, according to Sullivan. “Historically, the person who had that title wasn’t a quote-unquote ‘chief’ in the sense that they’re not in the little room of people who run the company,” Sullivan says. “They don’t report to the CEO; they don’t get a huge budget.”
Perhaps in recognition of this fact, and after settlement talks among the SEC, SolarWinds, and Brown, the securities regulator dropped its suit.
In a statement, company CEO Sudhakar Ramakrishna said, “We said from the beginning — and demonstrated during the litigation — the claims were unfounded, and we are happy the SEC has finally decided to abandon them. We stood firmly with our CISO, Tim Brown, and this decision affirms our belief that our team acted with integrity throughout.” SolarWinds has kept Brown on as CISO and paid for his legal representation.
Responsibility without authority is the real risk
At the heart of the SolarWinds lawsuit was a familiar problem for security leaders: responsibility without authority. The dynamic that caught Tim Brown in the SEC’s jaws is that, despite his experience, seniority, and title, he, like most CISOs, carries tremendous responsibility without any real organizational authority to back him up — with concerns around personal liability in the face of that further souring many CISOs on the role.
“We have a lot of the responsibility and very little of the authority,” Knostic’s Evron says. “The organization manages the risk. Our job is to present the risk and to manage the risk once the organization decides what risk to take.”
“We work in a larger ecosystem,” Noma Security’s Kelley adds. “We are not all-powerful. We cannot make all decisions in a company. We must work within the budget. We can advocate for a budget, but then the budget is decided collaboratively by the business. The same with our resources for headcount, or decisions on what is allowed or what’s not allowed in terms of new controls or new policies.”
However, since the lawsuits against Sullivan and Brown first emerged, CEOs and other high-ranking decision-makers have increasingly come under more pressure to accept some of the cyber incident legal liabilities that have often been the sole province of CISOs.
“In my case, at my sentencing hearing, the judge turned to the prosecutor and repeatedly asked, ‘Why isn’t the CEO charged?’” Sullivan says. “The judge literally said, ‘As far as I’m concerned, the CEO is at least as culpable, if not more, as anyone else inside the company when it comes to the situation.’”
Sullivan adds, “In Australia, in the Qantas case, the board took away the bonuses for the CEO and a bunch of others. In one of those DOJ civil cyber fraud cases, the Aero Turbine case, they pierced the corporate veil and went after the private equity firm as well. There is a growing recognition inside government enforcement authorities that if you want to change corporate behavior, you’ve got to aim a little higher than the CISO.”
How CISOs should protect themselves
If the SolarWinds case clarified anything, it’s that relief is temporary and preparation is essential. CISOs have a window of opportunity to shore up their organizational and personal defenses in the event the political pendulum swings and makes CISOs litigation targets again.
“I feel that the SEC staff over the past five to ten years has become more educated and has a more in-depth understanding and knowledge as to how this all works,” Alston & Bird’s Peterman says. “CISOs should be breathing a sigh of relief with this development, but I would be cautious about reading into it too broadly based on shifting changes within this administration or the next one,” Peterman adds.
“Brown had to live through five years of this, first, investigation and, then, litigation,” she says. “And I assume that comes with a significant personal toll, psychological toll, and physical toll. [Brown suffered a heart attack during the litigation.] If CISOs don’t have the necessary indemnification agreements or directors and officers [D&O] insurance protections via the bylaws or by agreement, it can also mean that even if you win, it carries a significant financial toll.”
Noma Security’s Kelley emphasizes that CISOs will still be the face of cybersecurity for most organizations, which means continued diligence in how risks are communicated. “When customers or regulators or investors need answers, none of that has changed [as a result of the SolarWinds dismissal]. One of the takeaways is being very intentional and accurate in how we communicate about our programs.”
Sullivan advises CISOs and other security leaders to become proactive and communicate throughout the organization what they need. “It’s really important that we not sit in the corner and just let all the risks sit on our shoulders,” he says. “We have to engage with the rest of the executives and the CEO and say, ‘Look, cybersecurity is a company decision.’”
He also stresses that the CISO community owes a debt of gratitude to Brown for his fortitude. “A lot of us are really grateful for Tim for how he didn’t disappear during this process,” Sullivan says. “He spent a lot of time out at different events, typically closed-door ones, meeting with a lot of people. I had the opportunity to be on panels and calls with him where he and I shared a stage. All of us are very happy that Tim made it through this in one piece, and that he’s standing and that he still has his job.”