It took a catastrophic hack to put cybersecurity front and center at business software maker SolarWinds.
In the year since suffering one of the biggest cyberattacks in recent history, SolarWinds has had to completely reorient itself around security, says CEO Sudhakar Ramakrishna.
That meant creating a cybersecurity executive committee, which includes Ramakrishna and two board members, to ensure top management is aware of security risks. It also involved giving more authority and resources to the company’s security chief. And it led to upending how the company creates software so that the process is more deliberate, which provides more time and opportunities to discover vulnerabilities.
Ramakrishna became SolarWinds CEO in January, a month after the company was found to have been attacked by Russian hackers. Criminals were able to exploit flaws within SolarWinds’ little-known but widely-used product for managing corporate IT systems that thousands of the company’s customers downloaded. The hackers were then able use the software bugs to covertly penetrate and conduct espionage on the networks of less than one hundred organizations.
Ramakrishna, who was previously the CEO of security firm Pulse Secure, replaced former chief Kevin Thompson, who the company announced in October would leave the company as part of a leadership transition plan. Ramakrishna says he only learned about the SolarWinds hack a few days after he was named CEO in December. He would have a challenging first year on the job, fielding questions from members of Congress about the hack, and overhauling the business, which took a hit as some customers stopped using its technology.
Since then, the tech world has been rocked by several more similar hacks that were unrelated to SolarWinds. The hacks are known as supply chain attacks because they leave users of the software vulnerable rather than the developer that created it.
Earlier this month, researchers discovered a bug in the open-source software tool Log4j used by software developers. It has caused thousands of security teams to scramble to secure their corporate IT infrastructure. Meanwhile in March, Microsoft disclosed its own supply-chain attack in which Chinese hackers exploited a coding bug in its popular Exchange email software. Microsoft has since released patches so customers can fix the flaw.
Ramakrishna says that he’s spent the past year talking with government agencies worldwide that specialize in cybersecurity and that are “actively investigating several supply-chain attacks simultaneously.” Such investigations underscore the extent to which criminals are attempting to replicate SolarWinds-like attacks.
When news of the SolarWinds hack first emerged last year, Ramakrishna acknowledges that “some customers were downright upset and angry.” To repair relationships with clients, he has been meeting with executives to describe the cybersecurity steps his company has taken and has been speaking more publicly about the hack to build trust with the broader business community. It’s better to be transparent rather than distance the company from the hack, he explains.
The more “we put our head in the sand and hope the problem goes away, the more and more the problem actually magnifies,” Ramakrishna says about rebuilding trust. “It shouldn’t be looked at as a shameful thing as much as what do you learn from it.”
Still, SolarWinds’s revenue declined 1.9% year-over-year to $181.3 million in its most recent quarter. In corporate filings, the company said that the hack “is expected to negatively impact revenue, profitability and cash flows in 2021 and beyond.”
But Ramakrishna is hopeful that SolarWinds will rebound. Customer renewal and retention rates, he says, “are almost back to our historical levels, and it’s not even been a year since the incident happened.”
Some of the cybersecurity steps SolarWinds has taken over the past year include setting up a program in which it invites developers to discover flaws in its products so it can fix them before criminals exploit them. The company has held two so-called bug-bounty programs and paid the helpful hackers tens of thousands of dollars to spot problems, Ramakrishna says.
“It’s much better to do that than pay ransom on a ransomware,” he says.
When SolarWinds creates new software products, it essentially makes three different versions of the tools that each require their own security checks and authorizations to access. Doing so makes it more difficult for hackers to break into and perform so-called man-in-the middle attacks, in which they could covertly tamper with the software, he explains. SolarWinds won’t make the tools officially available until all three versions are free of any security holes, Ramakrishna says.
He estimates that changing software development and related IT processes has increased the company’s expenses by 10% to 15%, but he says the extra cost is well worth it.
SolarWinds also regularly runs fake phishing attacks against employees to teach workers to recognize scam emails, one of the most common strategies hackers use to break into companies.
“As you know, it takes one targeted spear phishing attack for an attacker to gain access,” Ramakrishna says.
SolarWinds inevitably faces the risk of being hacked again, but Ramakrishna believes that the extra precautions will probably avoid it.
“My belief is that if you’re applying some of these secure by design principles that we have implemented, the likelihood of something like this goes down significantly,” Ramakrishna says.
Clarification, Dec. 22, 2021 at 2:30 PM ET.: This article has been updated to clarify the number of customers who downloaded the software that the hackers compromised versus the customers who the criminals were able to ultimately hack.
Never miss a story: Follow your favorite topics and authors to get a personalized email with the journalism that matters most to you.
