
I lost 25 pounds in 3 weeks - Tim Brown SolarWinds CISO
Jan 13, 2026

Context :
This interview is conducted with Tim Brown, CISO of SolarWinds before the Sunburst incident, during the crisis management, and still in office after it. The exchange covers three key phases:
Before the incident: how the security program and cross-functional relationships were structured
During the incident: how the compromise was discovered, how the response was organized, and how the CISO's role evolved under pressure
After the incident: what changed to move from a "reasonable" program to an "exemplary" program, and how trust was rebuilt
An article published on Threatlink details the cyberattack in depth here
The objective of this article is to summarize the key points. Feel free to watch the video for more details.
1) Build incident response around people and relationships, not just procedures
A plan on paper, on its own, is not enough to manage a major incident. The effectiveness of the response relied on:
Working relationships already established between engineering, legal, marketing, communication, product, and general management
Regular exchanges with executives and the board of directors
Familiarity gained by treating smaller incidents as real incidents
Major incidents often fail because teams must collaborate for the first time under intense pressure. Prior coordination helped reduce this risk.
2) Treat "small" issues as incidents to prepare for the worst
Vulnerabilities reported by customers were treated as incidents, tracked from opening to resolution. More limited events (for example, stolen devices or notification obligations specific to certain countries) were managed through the same channels that were later used at scale.
This helped create repeatable muscle memory: who to call, how to escalate, and how to coordinate legal and communications.
3) Structure the response quickly, allocate responsibilities clearly and avoid questioning everything
The discovery occurred abruptly on December 12, with about 24 hours to prepare for public exposure. The response worked thanks to a clear separation of responsibilities:
Communication: led by the marketing team
Legal: managed by the legal department, including exchanges with law enforcement
Engineering: focused on the build process compromise
IT: focused on entry vectors and instrumentation
An external crisis coordination team helped facilitate meetings, organize workstreams, and keep execution on track. Speed of action relied on trusting the leaders of each workstream, rather than constant second-guessing.
4) Define the CISO's role as translator, connector and bottleneck-breaker
In a crisis of this scale, the CEO took the lead, as the company itself was at stake.
Crisis management and the coordination of the incident response team were led by the law firm DLA Piper. Given the scale and impact of the attack, it was essential to rely on external experts with the necessary experience and instincts, particularly to coordinate exchanges with authorities (FBI, NSA) and different governments.
Tim's role then evolved into:
Translating technical elements into actionable decisions for management
Validating what could be publicly communicated
Managing key external relationships, particularly with CISA
Interfacing with governments and major customers who requested to speak to the CISO
Removing operational roadblocks that could slow down remediation
The depth of the security team was decisive, as day-to-day operations had to continue despite leadership being focused on the crisis.
5) Move from "reasonable" security to "exemplary" security, and then rebuild trust with facts
A "reasonable" security program is not sufficient against a nation-state. Post-incident, developments were based on the assumption of compromise and reducing the impact of a single actor, notably through:
A triple build environment
Multiple redundancy controls
Mechanisms requiring multiple internal personnel to affect builds
Rebuilding trust was measured through customer renewal rates:
About 92% before the incident
A drop to the 80s% during the crisis
A recovery to 98% in a subsequent public quarter
Transparency and continuous communication provided customers with the factual evidence needed to justify staying.
Summary
SolarWinds has become a textbook case of how to handle a country-level cyberattack. Through the choice of transparency, Tim enables the entire cyber community to learn how daily preparation, through rigorous incident management discipline, a quick and clear structuring of roles in a crisis situation, and post-incident architectural hardening, made recovery possible.
He also opens up on AI as the next inflection point, where resilience could require re-architecting systems beyond what is manageable solely by humans.