SolarWinds MSP Hunts For New Security Chief Following Split

‘Tim [Brown, VP of Security] has been a fantastic advisor to the 25,000 MSPs that we have. So, we’re bummed. But we understand. So, we’re looking to see if we can clone him,’ says SolarWinds MSP President John Pagliuca.

SolarWinds MSP will be forced to find a new security leader this spring as it spins out from SolarWinds and becomes an independent company.

Vice President of Security Tim Brown said the original plan was for him to continue with SolarWinds MSP following the split, at which point the remote monitoring and management vendor will be known as N-Able. But following the massive hack of the Orion network monitoring platform, Brown said the decision was made to have him stay with SolarWinds proper and task SolarWinds MSP with finding a new CISO.

“Tim’s been a fantastic advisor to the 25,000 MSPs that we have. So, we’re bummed,” SolarWinds MSP President John Pagliuca told CRN. “But we understand. So, we’re looking to see if we can clone him and find someone like that for the MSP business as well.”

[Related: 10 Bold Statements From SolarWinds MSP After The Orion Hack]

Brown brought more than 20 years of cybersecurity experience to the table - including nearly four years as a Dell Fellow and CTO for Dell Security - before becoming SolarWinds’s security leader in July 2017. Brown’s career his taken him from Congress and the White House Situation Room to sitting on the Open Identity Exchange’s board and serving as a member of the Trans Global Secure Collaboration Program.

“If we need two Tim’s, we’ll go find a second Tim [Brown],” SolarWinds’s then-CEO Kevin Thompson told CRN in August after revealing plans to spin off SolarWinds MSP. “There aren’t very many of them, but we found Tim and if we need two of them, we’ll go find the other one.”

Over the past three-and-a-half years, Pagliuca said Brown has exceled at articulating to MSPs what’s important from a security perspective and helping them run their businesses more safely. Pagliuca therefore wants Brown’s replacement to not only be a security expert but also be relatable to MSPs so that customers will trust the new CISO to walk a mile in their shoes and give them informed feedback.

SolarWinds MSP’s next CISO must be able to help MSPs understand what the company is doing, why the company is doing these things, and how they can convey that information to their customers, Brown said. Brown said his replacement should have lots of industry experience and appropriate skills safeguarding both businesses in general as well as software providers in particular.

In addition, Brown said SolarWinds MSP’s new security chief should have influence in the development organization and be able to drive secure architecture and design. Although no SolarWinds MSP products were compromised in the latest hack, a zero-day vulnerability in the company’s remote monitoring and management tool allowed security researchers to steal administrative credentials of an account holder.

The flaw was reported in October 2019 and remained open for more than three months, according to security vendor Huntress. SolarWinds said at the time that the exploit was never used by malicious actors to compromise any partner accounts, and deployed hotfixes for the flaw in January 2020. It also released a mitigation tool that could be used in the event the hotfix couldn’t be applied.

SolarWinds told CRN at the time that the researcher reported the flaw to the company in October but there was no proof of concept. Following its internal protocol, the company monitored the findings and began working on a patch in late January when a proof of concept was disclosed.

Rich Delaney, the president of Delaney Computer Services - an MSP in New York City and New Jersey - said he is “alarmed” at the current lack of CISO at the new company. The longtime SolarWinds MSP partner said the chief information security officer is responsible for enforcing the company’s security philosophy.

“If that‘s the case, it alarms me,” Delaney told CRN. “Who is holding their internal technology staff and solutions accountable to being secure?”

With contributions from CRN Senior Editor O’Ryan Johnson.