SEC Accountability and Its Impact on CISOs: Lessons from the SolarWinds Case By Matthew Rosenquist, Jim Routh &Micheal W. Reese

In today's webinar, we delve into the legal implications and ramifications stemming from the SEC's enforcement action against SolarWinds and its Chief Information Security Officer (CISO), Timothy Brown. This case has significant implications for cybersecurity professionals, particularly those in leadership positions. Our speakers, Matthew Rosenquist, Jim Ralph, and Michael Rees, bring their extensive experience in cybersecurity to discuss these critical issues.



Here is the verbatim discussion:

In some cases we've gotten that seat at the table and look what's happened now we have the seat at the table and a lot of cesos aren't under the indemnify policy um even though your CEO your CFO might be your ceso is not so your ceso is sitting alone um and we're seeing what can happen with that and this is a perfect example and again let's let's make sure we're not being the judge and jury here we're seeing the filing from the SEC we see what they have coming to the table they've kind of put their cards on the table and said this is what we're going to charge both solar winds and Timothy brown with um you can look at that and say yeah man it's pretty clear that there's some fraud involved here we haven't seen the other side of that right we haven't seen the discoverable items from the you know you've seen the prosecution side but you haven't seen the defendant side once you see all of that evidence put together and as forensic investigators we go out and we we find the facts and we put the facts on the table then the attorneys start dealing with those facts and they can manipulate and change them and make them kind of go in the favor they want them to go so again let's be real careful not to say hey we're going to be judging jury here and we just we find him guilty because of what this SEC filing says um again for us as CEOs we need to be very careful because this is and there's somewhat of a collaborative effort between the regulator and the Private Industry to kind of work out the Kink so to speak but when there's an enforcement action taken like this it sets a precedent for how the agency in this case C SEC will uh do enforcement and in this particular case uh we've got a ciso that's uh basically uh being reprobated Ed for not sharing uh information at the right time around uh security posture as well as uh not sharing the right information uh in on both counts uh and the enforcement action uh against an individual uh as a ciso it sets a precedent and that precedent has ramifications and that's what's creating a backlash of practitioners saying ho wait a minute here this you know this enforcement action appears to be a bit Draconian uh in enforcing on an individual and not necessarily warranted and then as we peel back uh kind of the layers uh there's some pretty good arguments to support the notion that uh this is not a precedent that is good for the industry it's actually a precedent that is negative has negative consequences uh to the industry so some of those negative consequences include uh potential Chief information security officers interviewing for a ceso role and deciding during the interview process that they're uncomfortable with the potential risk to them as an individual and they step down and say take me out of the Hat you know I'm.




Seat at the Table for CISOs:

  • Many CISOs now have a "seat at the table" in executive discussions, but this position comes with increased scrutiny and responsibility.
  • Unlike other executives, CISOs often lack indemnification policies, leaving them personally vulnerable in legal matters.

SEC's Case Against SolarWinds and Timothy Brown:

  • The SEC has filed charges against SolarWinds and its CISO for alleged fraud and failure to disclose crucial information regarding security posture.
  • It is important to remember that the charges represent the prosecution's perspective, and the defense's evidence and arguments have yet to be fully presented.

Legal and Industry Precedents:

  • This enforcement action sets a significant precedent for how regulatory bodies like the SEC handle cybersecurity disclosures and executive responsibilities.
  • The case is seen as a test of how far regulatory agencies will go in holding individuals accountable for organizational cybersecurity failures.

Implications for CISOs:

  • The enforcement action raises concerns within the cybersecurity community about personal liability and the potential for draconian measures against individual CISOs.
  • There is fear that such precedents could deter skilled professionals from pursuing or remaining in CISO roles due to the increased personal risk.

Industry Backlash:

  • The case has sparked a backlash among cybersecurity practitioners who view the SEC's actions as excessive and potentially harmful to the industry.
  • There are arguments that this kind of enforcement could negatively impact the willingness of qualified individuals to take on CISO roles, ultimately weakening cybersecurity leadership across organizations.


The SEC's case against SolarWinds and its CISO Timothy Brown underscores the evolving and complex landscape of cybersecurity accountability. As CISOs gain more influence in corporate decision-making, they also face greater personal risks. This enforcement action not only highlights the need for clear and fair regulatory standards but also the importance of supporting CISOs through adequate legal protections. The outcome of this case will likely have lasting implications for the cybersecurity profession, influencing how future incidents are managed and how responsibilities are allocated within organizations. It is crucial for the industry to closely follow this case and advocate for balanced approaches that protect both organizations and their cybersecurity leaders.



Jim Routh a board member, advisor and investor with specific expertise as a transformational security leader focused on applying risk management discipline to a converged security function for global enterprises to achieve enterprise resilience. Demonstrated track record of designing security control using innovation and data science to align senior executives to deliver world-class level security capabilities to drive positive business results in a digital world.


Micheal W. Reese Over 30 years’ experience in Information Technology serving in senior executive positions encompassing security, general operations management, project management, process change and development, business development as well as service and product management functions. A Cybersecurity Specialist, licensed as a Computer Forensics Investigator, Certified Information Systems Security Professional, Hacking Forensic Investigator and Fire and Explosion Investigator . Assisted both the DOJ and FBI on several matters, worked with High Tech Crime Units in Portland and Sacramento. Given expert witness testimony in hearings, depositions and at trial.


Matthew Rosenquist is a seasoned cybersecurity strategist and Chief Information Security Officer (CISO) with over three decades of experience. With a remarkable career at Intel Corporation spanning 24 years, he spearheaded key security initiatives, including establishing Intel's first Security Operations Center and leading cyber crisis response teams. As an influential figure in the industry, he currently serves as the CISO for Eclipz and advises numerous organizations worldwide on cybersecurity, emerging threats, privacy, and regulatory compliance. With a unique ability to bridge technical expertise with business acumen, Matthew is renowned for developing effective security strategies and enabling organizations to navigate complex cyber risks while optimizing security, privacy, and governance.

E-mail me when people leave their comments –

You need to be a member of CISO Platform to add comments!

Join CISO Platform

CISO Platform

A global community of 5K+ Senior IT Security executives and 40K+ subscribers with the vision of meaningful collaboration, knowledge, and intelligence sharing to fight the growing cyber security threats.

Join CISO Community Share Your Knowledge (Post A Blog)



CISO Breakfast at BlackHat Las Vegas 2024!

  • Description:

    We are thrilled to invite you to the CISO Breakfast at BlackHat 2024. 

    CISOPlatform is a community partner for the event which is co-hosted by Silicon Valley Bank, Stage One, First Rays Venture Partners, Latham & Watkins.


    Event Details: 

    • Date: Thursday, August 8th,…
  • Created by: pritha
  • Tags: blackhat usa, las vegas, ciso breakfast, usa