Debating SEC Actions and Their Impact on CISO Practices By Matthew Rosenquist, Jim Routh &Micheal W. Reese

 Welcome to today's webinar on the CESA platform. We're discussing the significant legal and professional implications arising from the SEC's enforcement action against SolarWinds and its CISO, Timothy Brown. This topic has sparked intense debate within the cybersecurity community, polarizing professionals into two camps. Our esteemed speakers, Matthew Rosenquist, Jim Ralph, and Michael Rees, bring their expertise to help us navigate this complex issue.




Here is the verbatim discussion:

And we have to ask ourselves so why are we discussing this case and the answer is this topic has created a number of heated discussions in the hallways of cesos across the country and Globe bifurcating the cyber security professional Community into into two opposing groups or camps if you will and this is for this year this has been one of the most p passionate topics people have just dove into with one side declaring SEC actions to be an affront to the role of cesos essentially unfairly targeting them as scapegoats and making their already difficult job unnecessarily more problematic and the other side tends to be stating that this is a matter where individuals broke something so I think this as a precedent type of case I think it will change our industry one way or another regardless of whether someone's convicted or not I think it will change the behaviors in our industry hopefully matured in a good healthy way and it may require tools it may just require kind of Behavioral changes on the ciso part but I think it's it will leave an indelible mark on our community so you know one of the things I want to talk about here is you know what are what are the charges right what is is actually being stated in there because different people throw different things around there so you know the SEC requires that public companies on a quarterly basis when they're seeking funding and when a material incident occurs that they're required to file very specific SEC forms um S1 S8 8K and these formally attest to as these certain aspects that investors or prospective investors they need that information and they have a right to this information but they need that information to decide if they want to put their money into the company or keep it in the company and this is about disclosure and it it enables investors to make informed decisions and generally speaking right if you tell the truth on these forms you're fine nobody's going to come slap you on the hand um if you're telling the truth regardless.




Community Division:

  • The SEC's actions have split the cybersecurity community. One side views the actions as an unjust scapegoating of CISOs, making their challenging roles even harder. The other side believes that individuals who fail in their duties should be held accountable, regardless of their position.

Precedent and Industry Impact:

  • This case is seen as a landmark that will influence the cybersecurity industry significantly, irrespective of the final verdict. It has the potential to change behaviors, possibly leading to both positive and negative outcomes for the industry.
  • There is hope that it will lead to a maturation in practices, though it may also necessitate new tools or behavioral changes among CISOs.

Legal Obligations and Charges:

  • The SEC's case hinges on the requirement for public companies to file specific forms (S1, S8, 8K) quarterly, especially when seeking funding or after a material incident. These forms are crucial for investor information and decision-making.
  • The core of the charges involves alleged failures in disclosure, which is a critical component of corporate transparency and investor trust.

Disclosure Requirements:

  • Accurate and truthful disclosure on these forms is essential. The SEC’s enforcement action underscores the importance of providing complete and honest information to enable investors to make informed decisions.
  • The case exemplifies the severe consequences of failing to meet these obligations, highlighting the critical role of transparency in corporate governance.


The SEC's enforcement action against SolarWinds and its CISO, Timothy Brown, has brought to the forefront the intense scrutiny and significant responsibilities faced by cybersecurity leaders. This case, whether resulting in a conviction or not, will leave a lasting impact on the cybersecurity industry. It serves as a pivotal moment that could either strengthen the role of CISOs through improved practices and support or deter talented professionals from taking on these critical roles due to increased personal risk.

As we move forward, it is essential for the industry to balance accountability with fair and supportive measures for cybersecurity leaders. This will ensure that while transparency and compliance are upheld, the vital role of CISOs is protected and empowered to continue defending against ever-evolving cyber threats.



Jim Routh a board member, advisor and investor with specific expertise as a transformational security leader focused on applying risk management discipline to a converged security function for global enterprises to achieve enterprise resilience. Demonstrated track record of designing security control using innovation and data science to align senior executives to deliver world-class level security capabilities to drive positive business results in a digital world.


Micheal W. Reese Over 30 years’ experience in Information Technology serving in senior executive positions encompassing security, general operations management, project management, process change and development, business development as well as service and product management functions. A Cybersecurity Specialist, licensed as a Computer Forensics Investigator, Certified Information Systems Security Professional, Hacking Forensic Investigator and Fire and Explosion Investigator . Assisted both the DOJ and FBI on several matters, worked with High Tech Crime Units in Portland and Sacramento. Given expert witness testimony in hearings, depositions and at trial.


Matthew Rosenquist is a seasoned cybersecurity strategist and Chief Information Security Officer (CISO) with over three decades of experience. With a remarkable career at Intel Corporation spanning 24 years, he spearheaded key security initiatives, including establishing Intel's first Security Operations Center and leading cyber crisis response teams. As an influential figure in the industry, he currently serves as the CISO for Eclipz and advises numerous organizations worldwide on cybersecurity, emerging threats, privacy, and regulatory compliance. With a unique ability to bridge technical expertise with business acumen, Matthew is renowned for developing effective security strategies and enabling organizations to navigate complex cyber risks while optimizing security, privacy, and governance.

E-mail me when people leave their comments –

You need to be a member of CISO Platform to add comments!

Join CISO Platform

CISO Platform

A global community of 5K+ Senior IT Security executives and 40K+ subscribers with the vision of meaningful collaboration, knowledge, and intelligence sharing to fight the growing cyber security threats.

Join CISO Community Share Your Knowledge (Post A Blog)



CISO Breakfast at BlackHat Las Vegas 2024!

  • Description:

    We are thrilled to invite you to the CISO Breakfast at BlackHat 2024. 

    CISOPlatform is a community partner for the event which is co-hosted by Silicon Valley Bank, Stage One, First Rays Venture Partners, Latham & Watkins.


    Event Details: 

    • Date: Thursday, August 8th,…
  • Created by: pritha
  • Tags: blackhat usa, las vegas, ciso breakfast, usa