Imagine losing 25 pounds in just 20 days—not from a trendy diet or intense workout, but from the sheer stress of being at the epicenter of a global cyber-attack. This is the story of Tim Brown, the Chief Information Security Officer at SolarWinds, who lived through one of the most high-stakes moments in cybersecurity history. On December 12, 2020, Brown’s world turned upside down when SolarWinds discovered it had been hacked by Russia. But here’s where it gets controversial: was SolarWinds the real target, or just a stepping stone to something bigger? Let’s dive in.
Brown recalls the moment vividly. The call came from Kevin Mandia, founder of cybersecurity firm Mandiant, revealing that SolarWinds’ Orion software—used by over 300,000 global clients, including the U.S. Treasury and thousands of companies—had been compromised. The hackers, later linked to Russia’s Foreign Intelligence Service, had inserted malicious code into Orion during its build process, granting them remote access to countless systems. And this is the part most people miss: the attack wasn’t just about SolarWinds; it was a gateway to infiltrate high-profile government agencies and corporations.
In the chaos that followed, Brown operated on pure adrenaline. With the company’s email system compromised, the team resorted to in-person meetings during the peak of the COVID-19 pandemic. “We gave up on the phones and just everybody came into the office,” Brown explains. The stress was relentless. “I lost 25 pounds in about 20 days… just going, going, going,” he admits. His face appeared on CNN, 60 Minutes, and every major newspaper as he tried to communicate what was safe—and what wasn’t—in a world suddenly on fire.
But here’s the controversial question: Did SolarWinds do enough to protect its clients? While the company switched to secure communication tools like Proton email and Signal, the damage was already done. Brown fielded calls from the U.S. Army, the COVID-19 vaccine program Operation Warp Speed, and countless others demanding answers. “The world wanted verbal communication, not written,” he reflects. “They wanted to hear the nuance, the ‘color’ around the situation.” This lesson in crisis communication is one every leader should heed.
The fallout was brutal. SolarWinds halted new features for six months, focusing instead on rebuilding trust and security. Transparency became their mantra, but it wasn’t enough to prevent legal repercussions. In 2022, the company settled a class-action lawsuit for $26 million. Then, in October 2023, the SEC sued SolarWinds and Brown personally, alleging they misled investors about cybersecurity protections. Is this fair, or is Brown being made a scapegoat for a nation-state attack?
The stress took a toll on Brown’s health. While in Zurich, he experienced symptoms of a heart attack—shortness of breath, tightness in his chest. “I thought I was managing the stress well,” he admits. Now, he advocates for companies to provide psychiatric support for employees during such crises. “Stress keeps building up, and you don’t always realize it until it’s too late.”
As of July, a confidential settlement with the SEC has been proposed but remains pending due to the U.S. government shutdown. Brown has stayed with SolarWinds throughout, driven by a sense of responsibility. “It happened on my watch,” he says. “Leaving wasn’t an option until it was done.”
So, what do you think? Was SolarWinds a victim of circumstance, or did they fall short in their duty to protect clients? Should individuals like Brown bear the brunt of legal consequences for nation-state attacks? Let’s spark a conversation in the comments—this is one debate that’s far from over.
