New York City, United States, February 6, 2024 — Two articles just released point to new concerns after the Securities and Exchange Commission filed an enforcement action in October against the SolarWinds software company. What caught the attention of the tech world is that the SEC also named the company’s chief information security officer (CISO) in the complaint. Edward Amoroso, CEO of the research and advisory firm TAG, which published the articles in its Security Quarterly, said the SEC’s action has put CISOs in a difficult position.
It began when SolarWinds disclosed in 2020 that it had been hit with a cyberattack that has been attributed to a country in Eastern Europe and may have left thousands of the company’s clients vulnerable. The SEC’s complaint in October alleged that SolarWinds misled investors by overstating its security practices and understating known risks. When the SEC took the unusual step of including CISO Timothy Brown in the complaint, the agency cited multiple communications between Brown and his security team.
The SEC’s focus on Brown has left dozens of CISOs shaken, according to Joe Sullivan, the former chief security officer of Uber. Sullivan said in one of the articles that he recently met with a group of 25 CISOs to talk about the matter, and he’s also spoken with Brown.
“I would say that the security community leadership is shaking in their shoes,” Sullivan said. “They feel completely misunderstood, both in terms of the SEC’s expectations of them and their ability to have influence and actually get stuff done.”
Sullivan, a former federal prosecutor, was the first prominent CISO who found himself in the crosshairs of law enforcement. Yet, he remains widely respected in the field.
In the Quarterly’s second article on this subject, Amoroso debated the proper role of a CISO with Matthew Rosenquist, himself a former Cybersecurity Strategist at Intel who is now an industry adviser and podcast host. Rosenquist defended the SEC’s actions against SolarWinds and Brown. He found the SEC’s complaint “very articulate.”
“It’s about knowingly misrepresenting or attesting to something on SEC forms that go to shareholders or people looking to invest,” Rosenquist said. Amoroso countered that CISOs are overmatched and their job is not to fill out SEC forms. “Lawyers have to fill out the 8-K, not the CISO,” said Amoroso, the former longtime chief security officer at AT&T.
The new edition of the publication also includes exclusive interviews with executives from leading cybersecurity and artificial intelligence companies. Readers can download the Quarterly for free and access select Analyst Reports from TAG’s team of experts, offering valuable insights into the latest trends and developments in the cybersecurity domain.
For media inquiries, please contact: Lester Goodman, Director of Content, TAG lgoodman@tag-cyber.com; 914.588.1369
About TAG:
TAG utilizes an AI-powered SaaS platform to deliver cutting-edge insights on cybersecurity, artificial intelligence, and climate science. The company’s unique approach combines technology and expertise to empower organizations with the knowledge needed to navigate these complex landscapes. We provide on-demand recommendations to commercial solution providers and Fortune 500 enterprises.
Contact Info:
Name: Lester Goodman
Organization: TAG Infosphere, Inc
Email: lgoodman@tag-cyber.com
Website: https://tag-infosphere.com/
Address: 45 Broadway Suite 1250, (1 block from Wall Street), New York, NY 10006
