Galink Logo

Solution

Partners

Resources

About

Log in

Galink the TPRM solution No. 1

I lost 25 pounds in 3 weeks - Tim Brown SolarWinds CISO

Jan 13, 2026

CISO SolarWind

Context :

This interview is conducted with Tim Brown, CISO of SolarWinds before the Sunburst incident, during the crisis management, and still in office after it. The exchange covers three key phases:

  • Before the incident: how the security program and cross-functional relationships were structured

  • During the incident: how the compromise was discovered, how the response was organized, and how the CISO's role evolved under pressure

  • After the incident: what changed to move from a "reasonable" program to an "exemplary" program, and how trust was rebuilt

An article published on Threatlink details the cyberattack in depth here



The objective of this article is to summarize the key points. Feel free to watch the video for more details.


1) Build incident response around people and relationships, not just procedures

A plan on paper, on its own, is not enough to manage a major incident. The effectiveness of the response relied on:

  • Working relationships already established between engineering, legal, marketing, communication, product, and general management

  • Regular exchanges with executives and the board of directors

  • Familiarity gained by treating smaller incidents as real incidents


Major incidents often fail because teams must collaborate for the first time under intense pressure. Prior coordination helped reduce this risk.


2) Treat "small" issues as incidents to prepare for the worst

Vulnerabilities reported by customers were treated as incidents, tracked from opening to resolution. More limited events (for example, stolen devices or notification obligations specific to certain countries) were managed through the same channels that were later used at scale.

This helped create repeatable muscle memory: who to call, how to escalate, and how to coordinate legal and communications.


3) Structure the response quickly, allocate responsibilities clearly and avoid questioning everything

The discovery occurred abruptly on December 12, with about 24 hours to prepare for public exposure. The response worked thanks to a clear separation of responsibilities:

  • Communication: led by the marketing team

  • Legal: managed by the legal department, including exchanges with law enforcement

  • Engineering: focused on the build process compromise

  • IT: focused on entry vectors and instrumentation

An external crisis coordination team helped facilitate meetings, organize workstreams, and keep execution on track. Speed of action relied on trusting the leaders of each workstream, rather than constant second-guessing.


4) Define the CISO's role as translator, connector and bottleneck-breaker

In a crisis of this scale, the CEO took the lead, as the company itself was at stake.

Crisis management and the coordination of the incident response team were led by the law firm DLA Piper. Given the scale and impact of the attack, it was essential to rely on external experts with the necessary experience and instincts, particularly to coordinate exchanges with authorities (FBI, NSA) and different governments.

Tim's role then evolved into:

  • Translating technical elements into actionable decisions for management

  • Validating what could be publicly communicated

  • Managing key external relationships, particularly with CISA

  • Interfacing with governments and major customers who requested to speak to the CISO

  • Removing operational roadblocks that could slow down remediation

The depth of the security team was decisive, as day-to-day operations had to continue despite leadership being focused on the crisis.

5) Move from "reasonable" security to "exemplary" security, and then rebuild trust with facts

A "reasonable" security program is not sufficient against a nation-state. Post-incident, developments were based on the assumption of compromise and reducing the impact of a single actor, notably through:

  • A triple build environment

  • Multiple redundancy controls

  • Mechanisms requiring multiple internal personnel to affect builds

Rebuilding trust was measured through customer renewal rates:

  • About 92% before the incident

  • A drop to the 80s% during the crisis

  • A recovery to 98% in a subsequent public quarter

Transparency and continuous communication provided customers with the factual evidence needed to justify staying.


Summary

SolarWinds has become a textbook case of how to handle a country-level cyberattack. Through the choice of transparency, Tim enables the entire cyber community to learn how daily preparation, through rigorous incident management discipline, a quick and clear structuring of roles in a crisis situation, and post-incident architectural hardening, made recovery possible.

He also opens up on AI as the next inflection point, where resilience could require re-architecting systems beyond what is manageable solely by humans.