The Eight Principles of Security Leadership: An insider’s view of SolarWinds & Supply Chain Failure

In 2017, I failed to save a 5 billion dollar company from getting ravaged by Russian and Chinese Advanced Persistent Threat actors from a series of attacks that may have started in 2019. The repercussions of the SolarWinds “hack” as it has been characterised has generated a lot of attention – mainstream media up to and including three US government house committees: Intelligence, Homeland Security & Reform and Oversight. After four years of introspection I maintain the attack – even though it was conducted by nation state actors funded with millions of dollars and nearly unlimited resources - could have been thwarted. Although we characterise “security” into three domains of people, process & technology there is a need to unite these domains into an organization imperative. I discovered that without security leadership in place to unite people, process & technology in common purpose the three domains become silos. It is within these silos that threat actors exploit organizations and dwell within organizations undetected. In this presentation I present Eight Principles of Security Leadership and discuss candidly how they could have been applied to prevent catastrophe for an organization like SolarWinds.