(To receive weekly emails of conversations with the world’s top CEOs and business decisionmakers, click here.)
The 2020 SolarWinds hack is considered one of the worst cyberattacks in recent years. Not exactly the sort of problem that an incoming CEO might want to confront on his first day on the job.
On Dec. 9, 2020, Sudhakar Ramakrishna was named the CEO of SolarWinds, an NYSE-listed company that provides IT infrastructure monitoring and management software to many government agencies and Fortune 500 companies. Days later, a celebratory birthday dinner with his family was interrupted by a call from SolarWinds’ general counsel, informing Ramakrishna that the company’s software was used as a vehicle in a massive hack.
Regulators found that a breach of SolarWinds’ software by a foreign actor gave hackers access to the data of the companies and government offices that used its products. SolarWinds was sued by investors following the breach. Although early reports said 18,000 companies were possibly impacted, SolarWinds’ most recent estimate is that the breach hit approximately 100 private companies and nine federal agencies. The attack was linked to Russian intelligence services, a charge denied by the Russian government.
Ramakrishna was not due to start the job until January 2021, and wasn’t even on the company’s email system yet. Given the magnitude of the attack, which made headlines for exposing the company’s blue-chip clients to an intrusion by piggybacking on a SolarWinds software update, a number of Ramakrishna’s family and friends questioned the wisdom of taking the position.
“I got two categories of input at that point,” Ramakrishna recalls. “One set of people said, ‘Look, you have nothing to prove. You’ve had a very successful career. So don’t go deal with this mess that you did not create.’ The other set of people said, and they were probably being nice, ‘Out of all the people we know, we know you’re probably the best person to solve this problem. You have the background, you have the demeanor. So go for it.’”
His two sons were divided, but ultimately the argument of his younger son carried the day.
”My second son reminded me of what I remind them all the time, which is, If you make a commitment, you try to follow through on it,” Ramakrishna says.
Cybersecurity has emerged as one of the critical challenges facing business leaders. The day I interviewed Ramakrishna, President Joe Biden had summoned a group of tech and financial CEOs to the White House for a summit on the issue, calling it “the core national security challenge we are facing.”
This interview has been condensed and edited for clarity.
So your kitchen cabinet was divided on whether you should take the job after the hack became public. Did you ever seriously consider not taking it?
No. My rationalization was, “What if I had started on Jan. 4, and this came to light on Jan. 6?” I wasn’t probably going to turn around and run from it. No. 2: I have experience dealing with security issues. There is an opportunity to learn, there is an opportunity to create an impact, and most importantly, there’s an opportunity to serve your customers. You can probably accuse me of being a foolish optimist, but that’s how I thought about it.
You had just sold a company, right? Is it public how much you made?
It’s not public, because it was a private company transaction. I can safely say that I probably need not have worked for a paycheck.
What were those first meetings with staffers like?
[One employee] told me there were bets going on within SolarWinds whether I would show up or not.
What was dealing with customers like those first months? Were they pissed off?
Some definitely were, there’s no question. Customers have the right to get pissed off. Your job as a vendor, as a supplier of software, is not to create excuses. Your job, first and foremost, is to face them, tell them what happened, take your punches if you have to, but show them what you’re doing about it. So the first few months—January, February, March—were very intense in that regard in terms of both meeting with federal government customers and commercial customers.
What was the toughest conversation you had with a customer? Do any stand out?
There was one. Here’s where it hurts the most because when your customer buys your product, they are, in essence, trusting their career in your hands. There was one chief information security officer who basically attributed, for him and his team, potentially getting fired due to SolarWinds. That just came out raw. That was the toughest because it was less about the issue and more about the human.
Do you know what ultimately happened in that instance?
I believe they are still there.
President Biden just met with tech and business leaders to talk about cybersecurity. What is the most important thing the federal government can do in this regard?
No matter whether you’re a cybersecurity company or not, there has to be a community vigil model. Everybody has to share information freely with the government, and the government with us, to make our defenses that much more secure. In cyberwars, timeliness matters, almost more than anything else. So if you create an environment where victims are ashamed to come out and say that they got breached, you’re actually making yourself weaker, not stronger. So, get into a world where victims feel confident coming out and sharing. The second thing people like Senator [Mark] Warner [of Virginia] have been talking about [is] providing some level of indemnity, because everybody gets sued in situations like this, rightly or wrongly.
How much has the attack cost the company?
We have come out and said that we are spending to the tune of about $25 million to support the Secure by Design initiative [which enhances the company’s security posture and establish new standards in secure software development].
What did you learn about crisis management, starting a new job in the middle of all this?
I consider myself to be a situational leader—you adapt your actions depending on what the situation demands, not so much what you want to do. Oftentimes, you’re going in thinking, I want to do A-B-C, but it’s almost irrelevant.
From a crisis-management standpoint, the more that we as leaders can tune our brains to set aside our egos and our personal preferences and focus on the situation at hand, the more useful we will be. The second thing I would say is that there are always a lot of incredibly dedicated people in every situation. It is not their fault that something is inflicted upon them, so your job as a leader is to serve them, to help them realize their full potential and support them through the journey—and not judge them just because they may have been inflicted by this situation.