Today,in what has been not less than a herculean effort to file an Amicus Brief on behalf of the CISO and security professional community to the court in the matter of the SEC v. SolarWinds and Tim Brown, thirty current and former chief information security officers (CISOs), leading cybersecurity organizations, and professional raised their voice and filed a critical Amicus Brief to educate the court on the third-party impact of the case on the CISO, technology and broader cyber ecosystem.
Read the full CISO brief ➡ : https://lnkd.in/eMy3c3aa. More briefs were filed by the Software Alliance, and by leading former government officials (see comments).
OpenPolicy's CEO and Co-Founder, Dr. Amit Elazari had the honor to work very closely with the fantastic legal team from Cooley LLP and Freshfields Bruckhaus Deringer on this brief, led by Andrew Goldstein.
In Cooley's terms, the Amicus Brief, represents CISOs and the broader cybersecurity community, argues that CISOs play an indispensable role in national security and cybersecurity, and notes that the SEC’s action threatens to undermine the flexibility needed for CISOs to effectively triage cybersecurity risks. The brief points to the harmful consequences of the SEC’s theory of CISO liability – including its reliance on Brown’s efforts to identify cybersecurity vulnerabilities and resolve them proactively. According to the brief, by asserting liability under the facts alleged in its complaint, the SEC’s action risks undermining core CISO job functions. And, given the SEC’s expansive theory of liability against CISOs and organizations that fall victim to such attacks, the brief highlights powerful evidence that this action is dangerous and counterproductive for cybersecurity and US national security. The brief also described the negative impact on sound coordinated vulnerability disclosure practices, emerging from a theory of liability requiring public discourse of unmitigated cyber incidents.
The brief’s signers include top cybersecurity organizations such as SINET and the Internet Security Alliance. It is also signed by 20+ cybersecurity leaders who have served as CISOs and in other senior cybersecurity roles at major companies – including Activision Blizzard, AMD, Albertsons, Amazon Prime Video, Avangrid, AXIS Capital, BBVA USA, Blackstone, City National Bank, Clorox, DataRobot, Exelon, HP, Intel, NTT, Salesforce, SAP, Siemens, and Staples – who signed solely in their personal capacities and not on behalf of their affiliated companies.
The amazing support from industry leaders was overwhelming, but also sheds light on a critical gap! the CISO and security community must organize itself more effectively if it wants to drive policy action and impact.