When a high-profile cyber attack hits a company, that organisation gets quoted ad nauseam as an example of what can go wrong and why others need to take heed and improve their own situation.
What is not mentioned anywhere near as much is that high-profile cyber attacks are a moment when the leadership of the impacted organisation can respond in a couple of different ways. One option is to accept that something has happened and put out an agreed corporate response and then head offline; the other is to front it out and communicate with partners and customers.
The attacks on Kaseya and SolarWinds both saw the CEOs of those firms choose the latter approach, with a deliberate decision to “own” the consequences, be transparent and open, and look to build a future where they will not be victims again.
Earlier this year, Fred Voccola, CEO of Kaseya, shared his experiences and said how the business was now looking forward with a much more positive attitude.
There are echoes in the experiences of Sudhakar Ramakrishna, CEO of SolarWinds, who decided that the company would be as transparent as possible with partners and customers but would also try to move forward and use the experience to improve the business.
“Given the backdrop of Sunburst [cyber attack], our main focus was to help customers operate their environments more effectively,” said Ramakrishna. “So, in a sense, business development and growth were not the main priorities as much as customer satisfaction and customer retention was the main priority. So we focused our energies on that.
“And, by all accounts, 2021 was a very successful year for us in that regard, even as we established ourselves as a thought leader in thinking about security challenges and overcoming them, representing the industry at large in the most attractive manner.”
The events of last year led Ramakrishna to drive a strategy of “secure by design” to ensure that, from the outset, technologies were developed with security in mind.
“Now it is more about what did we learn from this?” he said. “How can we help customers avoid these types of situations, because many of our customers, while they consume our software, they are also producers of software. So they understand intuitively that what was inflicted on us can be inflicted on them as well in the future. So, what can we do to learn from our experience and improve the entire environment?”
Part of the answer is to keep up the dialogue about security, and Ramakrishna is keen to encourage the industry as a whole to talk more about security and to share information and best practice.
“I don’t wish anybody to go through an experience like we did,” he said. “But still, I do wish that everybody has the same level of awareness that we do, so you don’t have to go through the pain to have the experience. One of the conscious things we are doing as a result of this is, very openly and freely, sharing all of our learnings and I have been driving this notion of community vigiliance. We speak to public sector entities we work with, and private sector entities, to see how we can collectively improve our defences.”
Grasp the nettle
The breach happened just after Ramakrishna had taken over as CEO, but he never had any doubt that he had to grasp the nettle and deal with the Sunburst attack.
“I was coming into the company just as we had found the breach,” he said. “So at one level, I had to find out where the coffee machine is, where the teams are, where the conference rooms are, and also simultaneously deal with that. So my situation is a little bit more fundamental than that.”
Ramakrishna was also clear from the start that the firm would deal with the problem, and do so in as open and honest a way as possible.
“The way I would describe it is, oftentimes the temptation is to close your eyes and hope something like this will go away,” he said. “Or applying the wrong investments, meaning putting a bunch of money into lawyers and PR, and so on and so forth, and try to drown the problem and make it somebody else’s problem as opposed to your problem.
“You still need to stand up and take ownership by addressing that problem. When you truly believe in it, then it becomes a matter of how do you kind of organise your activities to chip away at it, so to speak, because you can’t solve this problem overnight. My belief system was: how do I create a simple framework to explain to people first of all what happened? Then start explaining why it happened. Then, what are you doing about it? So kind of structure the issue.”
Going through that process dominated 2021 for SolarWinds, but now, with more of a focus on security and visibility, the business is looking to continue with a fresh narrative this year. If the word associated with the firm regularly in the past was “attack”, then get ready to hear a lot more about “observability” as the company puts itself at the heart of that market.
“As we turn to 2022, the priorities are really about the continued transformation of our company into much more of an observability leader,” said Ramakrishna. “More broadly speaking, our focus is, regardless of the customer’s environment, how do we deliver simple, powerful and secure solutions that help them with their automation, observation, visibility and remediation capabilities?”
He said it was important to help customers who were struggling with complexity, cloud and application infrastructure to give them more visibility of what was happening across their environments.
“When we think about SolarWinds, when we think about where we are moving forward, and what is our obligation to our customers, we need to solve those problems,” Ramakrishna added. “We have a very broad set of technology assets within our company that we are unifying and simplifying to deliver simple, powerful and secure solutions for our customers. So what you will see us do more in 2022 is start delivering on that promise and evolving that journey into 2023, 2024 and beyond.”