I wrote a post about the SEC complaint against SolarWinds. To be honest, I was really surprised by the complaint. Not that mistakes were not made, but holding executives responsible is a tricky precedent to start. It definitely puts CISOs, who are already working against a lot of culture and lack of resources, on notice. It might also give them what they need to justify appropriate security resources for the risks they face. I guess it will play out over a long time. I think there are good and bad things about the detail of the complaint, but it seems to be testing the limits for sure. To me it highlights several systemic issues with security and disclosure for public companies. First, there is no objective standard we can apply universally and therefore any outcome will be subjective. Second, it seems to put companies in a position where they won't want to disclose but they will need to find the right things to disclose in the right way to stay on investors good side. I'm really not sure how that will work. If I were defending SolarWinds I would point to the arbitrary standards for disclosure and to the fact that despite gaps, tactical improvements probably have been made. No company can fix all the things they know about. Where is the line? Can we really just point to something after it has been exposed and say that is punishable when we can't hand them a list of what could be punished in the first place? https://lnkd.in/dGPffRNv #cisolife #ciso #security #fraud
All of this ^^^^. Well said, Matt.
VP, Information Security at Thentia
11moWell said Matt Konda! Blame will always be thrown after any material failure. Striking the right balance between agility and clarity of risk perspective will continue to be the obstacle. This doesn’t change much but as with all the evolutions that have come to the IT security realm it’s another step further from chaos so it’s not all bad.