SolarWinds Breach Shows Why Cybersecurity Must Be a Board‑Level Priority

The December 2020 SolarWinds hack highlighted how easily software and system supply chains can be compromised when an organization lacks a robust cybersecurity policy.

CISA’s official statement notes that an advanced persistent threat (APT) actor began targeting U.S. government agencies, critical infrastructure, and private sector entities in March 2020, demonstrating patience, operational security, and sophisticated tradecraft. CISA warns that removing this actor from compromised environments will be highly complex and challenging. The detailed infection vectors and mitigation steps are outlined in the statement here.

These details echo insights from embedded.com and EE Times, reinforcing the critical role of IoT security and the expertise of semiconductor industry security professionals.

It remains astonishing that breaches can occur even when governments obsess over security yet remain vulnerable through third‑party systems that skip proper safeguards. I recall, as a former contractor for the British government, the rigorous security training and awareness required—never leaving a laptop in a locked car, always keeping it on my person or within sight. These practices illustrate the human element that can be overlooked.

Ultimately, the SolarWinds incident underscores a fundamental policy gap: should cybersecurity be the sole responsibility of hardware and software designers, or must it be embedded at the highest levels of corporate governance?

Woodside Capital Partners, a leading corporate finance advisor, released a report titled Seven Lessons for CEOs, Directors, Board Members, and Private Equity Firms, authored by Managing Director Nishant Jadhav. The report argues that the SolarWinds supply‑chain attack demonstrates the urgent need for deeper cybersecurity understanding at the executive and board levels. In an era where advanced persistent threats can lurk invisibly, protecting reputation and enterprise value has never been more critical.

The report stresses that board members must be able to confirm, in plain language, that their organization has robust cyber assurance. Below are the seven lessons:

Lesson One: Adopt a Security‑First, Not Compliance‑First Mindset – Top‑Down

A security‑first approach means the executive team and board grasp the specific risks facing their company and the risks they create for clients and partners. A compliance‑first stance merely satisfies regulatory checklists and offers a fixed, short‑term safety net. Cyber threats evolve rapidly, so quarterly board sign‑offs on the company’s threat posture are essential.

Lesson Two: CISOs Must Be Part of the Executive Leadership Team

Effective CISOs think beyond IT and consider every potential threat vector—including inadvertent data leakage from customer‑facing roles and risks arising from deploying new technologies. By holding CISOs accountable at the executive level, organizations ensure that security recommendations are implemented and risk exposure is continuously measured.

Lesson Three: Measure CISOs with KPIs for Ongoing Protection and Remediation

Instead of terminating a CISO after a breach, focus on their ability to allocate an appropriate security budget, raise cybersecurity awareness across the organization, and model responses to external threats like SolarWinds. KPIs should reflect both operational uptime and the business’s ability to mitigate and recover from attacks.

Lesson Four: A Trusted Partner Does Not Guarantee Security

The SolarWinds case proves that no partner can be considered immune to risk. Implementing air‑gapped environments for new product development can reduce infiltration risk from trusted vendors.

Lesson Five: Compromising Security is Not a Profit Lever

Woodside Capital proposes a “cyber grade” as a valuation metric that reflects technology investments, training, ongoing protection policies, and rapid remediation. Higher cyber grades correlate with higher company valuations. Private equity firms should prioritize cyber grades over short‑term profitability.

Lesson Six: Reevaluate Cyber Insurance at the Board Level

Many policies cover financial losses from data breaches but may exclude supply‑chain attacks or state‑sponsored threats. CISOs should engage boards to secure insurance that covers these scenarios and spans the extended aftermath of an attack.

Lesson Seven: Continuous Reputation Protection

Breaches can happen at any time, impacting business performance. Companies must demonstrate that cybersecurity is a core differentiator—through continuous investment, education, and transparent remediation. By establishing cyber assurance and communicating it to clients and partners, firms can safeguard their reputation over the long term.

The Woodside Capital report also lists growth‑stage companies that provide comprehensive cyber assurance solutions, from risk management to cyber insurance. The full report is available here.