After two decades in security leadership, I've watched the threat landscape shift a hundred times. New attack vectors. New regulations. New tools. But in November 2025, something changed that most of us are still processing.
The SEC dropped its case against SolarWinds and CISO Tim Brown. No settlement. No negotiated resolution. Just a dismissal with prejudice, meaning they can't file it again.
This wasn't a victory. It was a warning.
The uncomfortable reality
Let me be crystal clear about what actually happened here. The SEC didn't lose because CISO liability isn't real. They lost because the facts in this particular case weren't strong enough to survive defense motions. The knife is still in the drawer. We just found out it's not as sharp as we thought it was.
Here's what didn't change. The SEC's cyber disclosure rules are still fully in force. The 8-K four-day incident reporting requirement is still there. The 10-K governance requirements are still there. The securities laws don't care that the SEC couldn't win this one.
And now CISOs around the world are breathing easier while completely missing the point. The threat didn't go away. The ammunition just shifted.
What actually changed
For the first time, we have a published record of a CISO being named in an SEC enforcement action. And then that action being dismissed. What does that give us? A roadmap. Defense counsel now have ammunition that these theories aren't slam-dunks. They can point to this case and say "See? The SEC tried this, and it didn't stick."
That's meaningful. But it's not vindication. It's just breathing room.
The conversations that need to happen now are getting louder. Boards are asking CEOs harder questions. CEOs are asking CISOs harder questions. And the ones asking the hardest questions are the lawyers, because this case proved that the legal exposure is real, even if this particular charge sheet wasn't strong enough.
What didn't change
The SEC cyber disclosure regime is intact. CISOs can still be named in enforcement actions. International regulations like NIS2 and DORA are actually expanding personal liability, not shrinking it. And the gap between what you know internally and what you say externally? That gap is still a liability minefield.
This isn't the end of CISO liability. It's the beginning.
The SEC showed the knife
The knife is disclosure. It's the decision to tell the world something is secure when you know it isn't. It's the moment where "we don't know" becomes "we assert it's fine." That's where the CISO gets exposed.
The SolarWinds case didn't show that CISOs are safe. It showed that the SEC's theory in that specific case had holes. The next case might not. The next case might be cleaner. The next case might be about a CISO who signed something they shouldn't have signed. Or didn't document something they should have documented.
You are the face of failures caused by decisions you never had the authority to make.
Most CISOs will not lose their jobs because of a breach. They'll lose their jobs because someone needs to be blamed. And then they'll get sued because the person blaming them is the one who made the decision in the first place.
The asymmetry nobody talks about
Here's what kills CISOs: the authority-accountability mismatch. You're accountable for the security of systems you don't control. You report risk that doesn't get fixed. You escalate threats that get ignored. And then when something goes wrong, the person who ignored you points at you and says "That's why we hired them. They failed."
That's not legal liability. That's organizational reality. But the legal liability comes from what you documented and what you didn't.
Your email trail is your body armor. If you didn't document it, it didn't happen. If you escalated to the CFO and she said no, you need to have that in writing. If you told the CEO the network was vulnerable and they told you to move on to other things, you need to have that on record.
Because the moment something happens, everyone disappears. The CEO gets a good lawyer. The board meets in executive session. And you're standing there with your technical credibility while they're standing there with their legal defense.
To my fellow security leaders
This is the moment to have conversations you've been putting off.
First, know your formal status. "Chief Information Security Officer" is a title. It doesn't make you an officer in the legal sense. Officer status is created by board resolution and bylaws. If you don't know your status, find out. Because officer status changes both your exposure (more formal liability) and your protection (D&O coverage, indemnification).
Second, demand D&O coverage and verify you're listed. The 2023 Secursis survey found that 38% of CISOs don't have D&O insurance at all. That's insane. You need D&O coverage, and you need to know that you're explicitly listed as an "Insured Person."
Third, document everything. Not for auditors. For lawyers. Document the decision, the escalation, the response, and the reasoning. Then document what happened next.
Fourth, align with your governance. The person you report to matters. The governance structure you operate under matters. If you're reporting to the CIO, who reports to the COO, who answers to the CEO, you're three steps away from the board. That's a problem. You need a path to the board audit committee or the risk committee. Not every quarter, but at least annually, and immediately when something breaks.
Fifth, get coverage in writing. This isn't a conversation with your CEO over coffee. This is a conversation with legal counsel. This is a document you sign. This is a commitment the company makes in writing that they'll defend you, they'll indemnify you, and they'll cover your legal costs if this goes sideways.
And finally, be prepared to walk. If the company won't give you authority commensurate with your accountability, if they won't document your escalations, if they won't give you D&O coverage, if they won't commit to indemnification, then the company has told you something. They've told you that they don't believe the risk is real. So why are they hiring you?
The SEC walked away from the first CISO-targeting enforcement. They didn't walk away from the threat. They just retreated to file a better case next time.
The knife is still sharp. You just found out what it can actually cut.