Logo Galink

Solution

Partners

Resources

About

Log in

Try for free

Galink la solution de TPRM n°1

Try

‹ Return to blog

I lost 25 pounds in 3 weeks - Tim Brown SolarWinds CISO

Jan 13, 2026

CISO SolarWind
CISO SolarWind

Context:

This interview is conducted with Tim Brown, CISO of SolarWinds before the Sunburst incident, during the crisis management, and still in office afterwards. The exchange covers three key phases:

  • Before the Incident: how the security program and cross-functional relationships were structured

  • During the Incident: how the compromise was discovered, how the response was organized, and how the role of the CISO evolved under pressure

  • After the Incident: what changed to move from a "reasonable" program to an "exemplary" program, and how trust was rebuilt

An article published on Threatlink details the cyberattack in depth here



The goal of this article is to summarize the key points. Feel free to watch the video for more details.


1) Build the Incident Response Around People and Relationships, Not Just Procedures

A paper plan alone is not enough to manage a major incident. The effectiveness of the response relied on:

  • Pre-established working relationships between engineering, legal, marketing, communications, product, and senior management

  • Regular exchanges with executives and the board of directors

  • Familiarity gained by treating smaller incidents as real incidents


Major incidents often fail because teams have to collaborate for the first time under intense pressure. Advance coordination helped reduce this risk.


2) Treat “Small” Issues as Incidents to Prepare for the Worst

Vulnerabilities reported by clients were treated as incidents, followed by tracking until resolution. More limited events (for example, stolen devices or notification obligations specific to certain countries) were managed through the same channels used later on a larger scale.

This created reproducible reflexes: who to call, how to escalate, and how to coordinate legal and communications.


3) Structure the Response Quickly, Clearly Allocate Responsibilities, and Avoid Questioning Everything

The discovery occurred abruptly on December 12, with about 24 hours to prepare for a public exposure. The response worked due to a clear separation of responsibilities:

  • Communication: led by the marketing team

  • Legal: handled by the legal department, including exchanges with law enforcement

  • Engineering: focused on the compromise of the build process

  • IT: focused on entry vectors and instrumentation

External crisis coordination helped facilitate meetings, organize workstreams, and maintain execution. The speed of action relied on trust granted to the leaders of each workstream, rather than on constant questioning.


4) Define the Role of the CISO as Translator, Connector, and Unblocker of Friction Points

In a crisis of this magnitude, the CEO took the lead, as the company itself was at stake.

Crisis management and coordination of the incident response team were led by the law firm DLA Piper. Given the scale and impact of the attack, it was essential to rely on external experts with the necessary experience and reflexes, especially to coordinate exchanges with authorities (FBI, NSA) and various governments.

Tim's role then evolved into:

  • Translating technical elements into actionable decisions for management

  • Validating what could be publicly communicated

  • Managing key external relations, particularly with CISA

  • Interacting with governments and large clients who requested to speak to the CISO

  • Removing operational bottlenecks that could slow remediation

The depth of the security team was critical, as routine operations had to continue despite the leadership's mobilization on the crisis.

5) Transition from “Reasonable” Security to “Exemplary” Security, Then Rebuild Trust with Facts

A "reasonable" security program is not enough in the face of a nation-state. After the incident, changes relied on the assumption of compromise and the reduction of impact from a single actor, particularly through:

  • A triple build environment

  • Multiple redundancy controls

  • Mechanisms requiring several internal people to impact the builds

The rebuilding of trust was measured through client renewal rates:

  • Approximately 92% before the incident

  • A drop to 80% during the crisis

  • A rise to 98% in a subsequent public quarter

Transparency and continuous communication provided clients with the necessary factual elements to justify their retention.


Summary

SolarWinds has become a case study of how to manage a cyberattack by another nation. By choosing transparency, Tim allows the entire cyber community to improve on how to handle such situations where daily preparedness, through rigorous incident management discipline, rapid and clear structuring of roles in crisis situations, and architectural hardening post-incident enabled recovery.

It also opens up AI as the next inflection point, where resilience could pass through a re-architecture of systems beyond what is manageable by humans alone.



DARE #6 - Benjamin Leroux - CMO @Advens>