Solarwinds: Making Security a Priority. After the Barn Burned and Running in the Crime Derby

March 31, 2021

I read a remarkable write up called “SolarWinds CEO Gives Chief Security Officer Authority and Air Cover to Make Software Security a Priority.” The article is notable for the information omitted. Here’s a passage I noted:

He created a cybersecurity committee for the board that includes him and two sitting board members. He also said that he has given the company’s chief security officer the power to stop any software release if necessary to address security concerns.

A security committee. Will the group produce a security solution which is elegant, effective, and able to restore trust?

The write up identifies the causes of security breaches. These are managerial missteps. Obviously SolarWinds believes a committee is the optimal way to deal with wonky management by those with an eye of the bottom line, bonuses, and a responsibility-free tenure as top dog.

The technical causes are not really causes. Sorry, but phishing is not a cause. Phishing is a method implemented because employees have inadequate training and the organizations employing these people drop the ball in setting up a defensible perimeter.

Why is this remarkable? Misdirection, blame shifting, and a belief a committee can overcome MBA thinking, compensation incentives, and what I call a high school science club sense of exceptionalism.

Stephen E Arnold, March 31, 2021


Got something to say?

  • Archives

  • Recent Posts

  • Meta