SolarWinds’ new CEO will make these 5 changes post-hack – Security

New SolarWinds CEO Sudhakar Ramakrishna struck a different tone in his first public communication just seven days after starting as CEO of the embattled IT infrastructure management vendor. Unlike his predecessor Kevin Thompson, who is an accountant by training and led the firm from March 2010 to December 2020, Ramakrishna comes from a security background, having most recently led Pulse Secure.

During his five years as Pulse Secure’s CEO, Ramakrishna had to deal with hackers exploiting a widely known flaw in the company’s VPN appliance to carry out ransomware attacks many months after a patch had already been rolled out. Ramakrishna said Thursday the experience taught him to lead with humility, ownership, transparency, focused action, and bias toward customer safety and security.

“Although I accepted the position to become CEO before the Company [SolarWinds] was notified of the cyberattack, I feel an even greater commitment now to taking action, ensuring we learn from this experience, and continuing to deliver for our customers,” Ramakrishna wrote in a blog post published late Thursday.

From resetting privileged credentials and re-signing all digital certificates to manually checking source code and rolling out more threat hunting software, here are five critical changes Ramakrishna will make to put security front and center.

5. Leverage third-party tools, ethical hackers for insight

Ramakrishna said SolarWinds will leverage third-party tools to expand the security analysis of the source code for Orion software as well as related products. The company also pledges to engage with and fund ethical hacking from white hat communities to quickly identify, report and remediate security issues across the entire SolarWinds portfolio, according to Ramakrishna.

Vulnerability disclosure programs are nearly as old as the internet itself but didn’t gain traction until the early 2010s when companies like Microsoft, Google, Facebook and Mozilla rolled out programs of their own. Companies without a formal vulnerability disclosure policy often remain in the dark about known flaws in their architecture, with hackers not reporting flaws they’ve found due to fear…