Welcome to Razorwire, the podcast where we cut through the noise to bring you incisive discussions on all things cybersecurity. I'm your host, Jim, and in today's episode, we delve into the SEC charges against SolarWinds CISO, a case that has sent shockwaves through the infosec community.

In this episode, our guests Iain Pye and Chris Dawson discuss the hype surrounding the trial, its impact on the infosec community, and the potential consequences for all Chief Information Security Officers (CISOs).

We also explore the uncertainties surrounding the CISO's responsibilities and actions within the organisation regarding addressing security vulnerabilities, as well as the potential implications of the SEC ruling on CISOs' risk aversion and self-interest.

Lastly, we talk about the dynamics of security compliance certifications and the potential manipulation involved in obtaining them.

If you're a cybersecurity professional, join us as we dissect the complexities of CISO responsibilities, the SEC's pursuit of individuals over organisations, and the implications of legal actions on the infosec landscape.

Tune in for an insightful discussion that will challenge your perspectives and keep you on the cutting-edge of cybersecurity issues.

"Companies are now telling victimised organisations not to produce an incident response report or similar or any type of report. Any such report should be delivered verbally or kept off any electronic or paper documents as much as possible as they could be subpoenaed in future lawsuits and may reveal that the company to be at fault."

Iain Pye

Listen to this episode on your favourite podcasting platform: https://razorwire.captivate.fm/listen

In this episode, we cover the following topics:

- The aftermath of the SEC charges against SolarWinds CISO and the debate surrounding the implications for the infosec community

- The challenges and potential issues surrounding auditors' understanding of risk management and cybersecurity processes

- Discussion of internal messaging about cybersecurity vulnerabilities within SolarWinds and potential misrepresentation of cybersecurity practices

- The impact of underfunding on information security departments and the challenges faced in training and securing environments

- The potential for individuals to whistleblow on security vulnerabilities and the SEC's regulatory role to hold organisations accountable

- The debate on the extent of the CISO's authority within the organisation and the support required from the board in addressing security vulnerabilities

- The potential impact of the SEC ruling on CISO decision making and the resulting risk averse behaviour

- The potential impact of pressure from insurance companies and the SEC's focus on shareholder rights and company ethics

- Suspicions of misrepresentation and potential manipulation in obtaining security compliance certifications and ISO audits

- The role of CEOs and senior management priorities in influencing cybersecurity practises and certifications

Resources Mentioned

- SolarWinds

- SEC (U.S. Securities and Exchange Commission)

- ISO 27,001