A Long-Awaited Win for Every CISO in America
The Tim Brown Case Is Over — and What It Means for the Profession, Public-Private Partnership, and the Future of Cyber Accountability
A Thursday Night Jolt
Thursday evening, scrolling on my phone before calling it a night, I stopped cold. A headline I’ve waited five long years to read finally appeared:
The SEC dismissed all charges against Tim Brown, CISO of SolarWinds. Case closed. With prejudice.
If you’ve been in this field long enough, you know exactly how heavy that sentence feels. For half a decade, the entire security community watched one of our own get dragged through a regulatory nightmare that should never have been initiated in the first place.
Tim Brown is no rookie. He’s not a “checkbox CISO.” He’s one of the best in the industry, a person I’m proud to call a friend. But for five years he, his family, SolarWinds employees, and frankly every security leader in America lived under the shadow of a case that made no practical sense, no legal sense, and posed a catastrophic precedent for the profession.
Tonight, that weight lifted.
But this victory came at a cost.
How We Got Here: A Timeline of a Mistaken Hunt
December 2020: SolarWinds is compromised in one of the most sophisticated nation-state operations in modern history. Russian intelligence (APT29) inserts malicious code into Orion software updates in a classic software supply-chain attack.
2021–2023: The U.S. government: CISA, NSA, FBI confirm publicly that:
This was a nation-state attack
SolarWinds was a victim, not a perpetrator
The campaign was unprecedented in stealth and complexity
October 2023: Despite this consensus, the SEC files charges against SolarWinds and singles out Tim Brown personally, alleging misleading statements in cybersecurity risk disclosures.
This was the shockwave.
Security leaders everywhere asked:
Can the SEC prosecute CISOs for being victims of nation-state attacks?
If they can, why would anyone ever take this job?
Why only the CISO? Why not the board? Why not the CEO?
What precedent does this set for every Fortune 500 company?
2023–2025: The security community, legal community, and industry associations protest loudly and repeatedly. The SEC’s own former commissioners call the case “dangerous overreach.”
Meanwhile, ransomware groups and extortion crews exploit the new SEC 4-day disclosure rule during negotiations, using it to increase pressure and demand higher ransom. Criminals read the rules too.
January 2025: A new administration takes office. New SEC leadership begins re-evaluating inherited regulatory actions.
November 2025: Charges dismissed. With prejudice.
Tim Brown is free.
Why the Case Was Deeply Flawed
Let’s be brutally honest.
This case was never about negligence.
It was about finding a scapegoat to make an example of.
SolarWinds wasn’t negligent at a criminal level.
They were victimized by one of the most advanced intelligence services in the world an attack so sophisticated that:
It bypassed dozens of U.S. government networks
It evaded elite defensive teams
It blended into trusted software supply chains
It leveraged tactics the industry had rarely seen at that scale before 2020
Anyone who lived through this era remembers:
“software supply chain” wasn’t the daily buzzword it is today.
In 2018–2020 it was a fringe talking point, not a congressional hearing.
The SEC’s case also contradicted everything Washington has publicly preached since at least 2016:
“We need stronger public-private partnership.”
“We must encourage companies to disclose incidents.”
“We must reduce barriers to working with federal agencies.”
But when the SEC attacks a victim of a nation-state assault—especially by targeting the individual CISO, that partnership collapses instantly.
Why would any company share intel with agencies that may weaponize that intel against them later?
Why would a CISO take the job knowing they could be personally prosecuted for the actions of Russia, China, or Iran?
The Ripple Effects: Fear, Silence, and Paralyzing Distrust
For five years, the entire profession operated under the anxiety that:
A nation-state attack could cost you your career
Your board could hang you out to dry
Your disclosures could be dissected with hindsight bias
Regulators might punish you even when you did everything reasonably expected
The SEC tried to make Tim Brown unhireable in any public company for life.
That’s not regulation.
That’s a warning shot.
And it achieved the opposite of what good regulation should do:
It discouraged cooperation
It weakened trust
It emboldened attackers
It made executives more fearful of disclosure
It made CISOs consider leaving the field altogether
This wasn’t protecting investors.
It was scaring away the very people needed to protect investors.
Public-Private Partnership: The U.S. vs. Countries That Actually Do It Well
While the U.S. continues to debate how much it can punish victims, other countries show what effective partnership looks like.
When I toured INCD (Israel National Cyber Directorate) this spring, I saw real public-private collaboration:
Government teams proactively calling companies
Sharing actionable intelligence
Working side-by-side to mitigate active threats
Treating defenders as partners, not suspects
Singapore operates similarly.
The Netherlands does too.
Even the UK is trending in that direction.
In the U.S., what do we get?
Fear.
Hesitation.
A culture of “don’t call them, lawyers won’t allow it.”
And this case reinforced every reason for that fear.
Meanwhile: Companies Are Getting Hit Harder Than Ever
Take Jaguar Land Rover.
A ransomware attack shut down production for over 40 days, forcing a UK government bailout worth £1.5 billion. That’s jobs, supply chain, manufacturing, retail, exports—the whole ecosystem—at risk.
Was the solution to prosecute their security leaders?
No.
The solution was support.
And oversight.
And learning.
And improving systemic resilience.
SolarWinds deserved the same balanced treatment.
Instead, the SEC used them as a political billboard.
Finally, Accountability for the Regulator
What changed?
New leadership.
New administration.
Fresh legal review.
Industry pressure.
And perhaps, finally, a realization that you cannot regulate cybersecurity by prosecuting victims.
The dismissal “with prejudice” isn’t just a legal term.
It signals:
The case should never have been brought
There was no valid path forward
The SEC is admitting the foundational flaws
It’s over.
Tim Brown can go back to being what he always has been—one of the best practitioners in our field.
What Comes Next: A Reset in Cyber Regulation
We need a national shift—one Sean Curran highlighted at Aspen Cyber Summit this week.
A shift from:
Punitive regulation → to collaborative resilience
Fear-based reporting → to transparent information-sharing
Burden on CISOs → to shared accountability across leadership
Fragmented incentives → to unified national security strategy
If the SEC wants to make cybersecurity disclosures safer, here’s the path:
Eliminate the rigid 4-day rule
Establish a national minimum cybersecurity standard for public companies
Encourage reporting through safe-harbor protections
Strengthen cooperation during incidents
Build trust instead of fear
Cyber is national security.
National security requires unity, not scapegoats.
A Personal Note — And Why This Became Today’s Article
I wasn’t planning to write this today.
I had a three-part series brewing on subscription models and budget freezes heading into 2026.
But this news mattered more.
Heading into Thanksgiving week—a time built around gratitude—I’m grateful this chapter is closed for Tim Brown. I’m grateful for the renewed possibility of better regulation. And I’m grateful for what this means for every CISO navigating nation-state threats while balancing risk, budget, regulation, and expectations that often contradict one another.
This job is hard enough when you’re fighting Russia, China, Iran, and criminal syndicates.
You shouldn’t have to fight the U.S. government too.
None of us are perfect.
No program is perfect.
No leader is perfect.
Mistakes happen.
And as Ted Lasso said:
“I hope we’re given the grace not to be judged by our worst moment.”
For five years, Tim Brown wasn’t given that grace.
Today, finally, he is.
And today, the entire cybersecurity community celebrates with him.
Join the Conversation
I want to hear your thoughts, your concerns, and your take on what this means for the profession.
Join us in the community chat at CyberHubPodcast.com.
The show is back Monday morning at 9 AM ET with the latest cybersecurity news.
Stay cyber safe.