We have two primary camps in 2024. Those who believe it is dangerous to hold CISOs accountable for poor security practices and those who think it’s about damn time. I am of the latter mindset. To hold security leaders responsible, we need to allow them to be effective.

On October 30th of last year, 20203, The Securities and Exchange Commission announced charges against Austin, Texas-based software company SolarWinds Corporation and its chief information secIn 2024, the debate about whether CISOs should be held accountable for poor security practices is still ongoing. There are two primary camps – those who believe it’s dangerous and those who think it’s about time. I firmly belong to the latter group. To hold security leaders responsible, we must allow them to be effective. Last year, SolarWinds Corporation and its chief information security officer, Timothy G. Brown, were charged by the Securities and Exchange Commission for fraud and internal control failures relating to known cybersecurity risks and vulnerabilities. The complaint alleges that SolarWinds and Brown defrauded investors by overstating SolarWinds’ cybersecurity practices and understating known risks. During this time, SolarWinds misled investors by only disclosing generic and hypothetical dangers while knowing of specific deficiencies in their cybersecurity practices and the increasing risks they faced.

The SolarWinds situation should not only serve as a cautionary tale but also become a catalyst for effective change. The “House of Blame” approach to security is unacceptable. We need to empower our security and risk leaders to effect positive change instead of pointing fingers in times of crisis. By holding our CISOs accountable and allowing them to be effective, we can create a culture of security that benefits everyone.