The Securities and Exchange Commission’s recent indictment of the SolarWinds CISO grabbed my attention. I had to write about it from a DevSecOps, or operational, perspective. I hope this post can be useful to our CISOs as they navigate the responsibility of protecting the mobile channel, brand, and business.
The SEC Complaint in a Nutshell
On Oct. 30, 2023, the SEC filed a complaint against SolarWinds and its Chief Information Security Officer, charging “fraud and internal control failures” for “known cybersecurity risks and vulnerabilities.” In the complaint, the SEC charged that SolarWinds and its CISO made “misstatements, omissions, and schemes that concealed both the Company’s poor cybersecurity practices and its heightened— and increasing—cybersecurity risks.” The SEC also said that SolarWinds’ public statements “painted a starkly different picture from internal discussions and assessments about the Company’s cybersecurity policy violations, vulnerabilities, and cyberattacks.”
Practically speaking, our CISOs should zero in on three (3) critical elements of the claims against SolarWinds and its CISO:
- internal documents advising about the poor state of the cyber defenses (i.e., the known risk),
- the company’s public promise of sound cyber security (e.g., on the website and other public statements), and
- the adequacy of controls that follow standard security practices, such as penetration testing, and remediation as well as monitoring and incident response.
When you read the complaint, you can’t help but see the real culprit – the manual discovery, management and delivery – that sits at the center of this debacle. Trying to operationalize security manually – in presentations, emails, text messages, etc. – simply got the better of them and got them into hot water.
Do I Need to Take Action in light of the SEC Complaint?
Yes. Say, for example, as a cyber security professional or CISO you are aware that a mobile application, mobile channel or network is under or vulnerable to attack. Taking action is required.
In the SolarWinds complaint, the SEC made it clear that downplaying exploits, vulnerabilities and doing nothing isn’t an option. They zeroed in on internal communications from engineers, managers and others that highlighted cyber deficiencies and other vulnerabilities. They said SolarWinds and it’s CISO’s lack of response “reflected a culture that did not take cybersecurity issues with sufficient seriousness” and, instead, alleged that they engaged in “a scheme to conceal these issues from investors and customers.” The addition of “customers” is very important. Mobile brands can assume that “customers” in this context would include anyone from mobile end users to downstream mobile platform customers to enterprise customers of mobile B2B applications.
The main issue in the complaint is the juxtaposition of Solar Wind’s public touting of the high quality of its cyber security practices against the poor quality of its cyber defenses. The SEC said SolarWinds and it’s CISO understood that “adherence to sound cybersecurity practices was material to SolarWinds’ ability to obtain and retain business” but noted the company and its CISO failed to take action over a period of time. Bottom line: even if your brand doesn’t dedicate a webpage to tout its cyber security practices, if your mobile brand carries with it a promise of sound cybersecurity, you have to act fast. If your brand publicly touts its cybersecurity practices, you need to act faster.
Action Plan for Mobile App Security, Post SolarWinds
The most important thing we can advise our CISOs and cyber security teams is to make sure you’ve operationalized cyber security and fraud prevention in a way that will keep you far away from the perils of SolarWinds and its CISO.
Here are my top five (5) action steps for all CISOs and cyber teams at mobile brands:
- Follow Enhanced DevSecOps practices in your mobile business. This means that you should augment the normal Mobile Application Security Testing, penetration testing and similar tests of the mobile channel with real time monitoring of attacks and threats against the mobile business.
- Use a system of control & delivery to release cyber and anti-fraud defenses into the mobile app and channel. This means use a cyber defense automation platform like Appdome that cannot only code the mobile app defenses needed for your business but can also keep track of each cyber build-release, provide change and audit logs, track users, provide role-based access and more. The SEC zeroed in on the lack of internal controls and the fact that SolarWinds CISO had no evidence of delivery was a significant miss.
- Reduce the timeframe between discovery and remediation. This goes for real-time attacks as well as for simulated attacks and traditional pen testing results. The SEC went to great pains to highlight how SolarWinds and its CISO were aware of the deficiencies (and maybe even desensitized to them) and did nothing. Even when the attacks happened, lack of knowledge and long periods of inactivity were highlighted by the SEC.
- Eliminate Reliance on Engineering & Waivers. The SEC didn’t pause to consider if the CISO had the technology, tools, or resources to deliver the required protections. It made clear that the CISO was “responsible for the Company’s ongoing security efforts, as well as security architecture within its products” and “signed sub-certifications attesting to the adequacy of SolarWinds’ cybersecurity internal controls, which SolarWinds’ executives relied on in connection with SolarWinds’ periodic reports that were filed with the SEC.” As a CISO or cybersecurity professional at a mobile brand, “waivers” will only add to the problem, not solve it.
- Adhere to public statements and cyber brand promises. If your mobile brand carries with it a promise of sound cyber security controls, protections and practices, live up to them and be prepared to show (build-by-build, release-by-release) how you do so.
Follow these action steps as part of a foundation strategy to stay far away from the perils of SolarWinds. Remember, “automation” and its close cousin “speed” are key. The ability to show continuous proof of protection and remediation is critical too.
Being a CISO Post SolarWinds
When I read the complaint, I feel for the CISO of SolarWinds. His challenge is similar to the challenges of all CISOs. At Appdome, we empower CISOs and cyber professionals with visibility, management and control over your mobile app defense strategy. Of course, I believe Appdome is in the perfect position to help CISOs meet these challenges. Built as an automation and compliance platform, Appdome allows CISOs to tailor the mobile app defense model to meet your brand objectives and adapt your cyber and anti-fraud defenses in real time, eliminating the dependency on engineering, engineering work and other complexities often associated with protecting the mobile app brand and channel. Appdome also allows CISOs to monitor defenses and new attacks in real time, further reducing the timeframe from discovery to remediation for all attacks. And, finally, Appdome partners with many of the world’s leading mobile application security testing and penetration testing companies to ensure mobile applications are always protected with best practice security features.
I’m extremely proud that our CISOs are fully prepared to meet the challenges of this post SolarWinds world. I hope you all found this post helpful. As always, if you have any questions, just drop me a line.