Insights from the CEO who walked in on a cyber calamity
On 12 December 2020, Sudhakar Ramakrishna got perhaps the worst birthday gift ever. As he was celebrating over dinner, he got a call informing him that SolarWinds, the company where he had been appointed CEO just five days prior, had been the victim of what Microsoft president Brad Smith called “the largest and most sophisticated [cyber] attack the world has ever seen”.
SolarWinds is not a household name. But it attracted the attention of hackers because of the services it sells and - more importantly - its clients.
The company develops software designed to help businesses manage their IT infrastructure, networks and systems. At the time of the hack, its client list included nearly every Fortune 500 company, as well as a number of American federal agencies. Hacking SolarWinds offered potential access to some of the biggest organisations in the world.
The attack, believed to be orchestrated by the Russian Foreign Intelligence Service, targeted SolarWinds’ Orion software: an infrastructure monitoring and management platform designed to simplify IT administration.
Of the more than 33,000 organisations that use Orion, more than half are thought to have been affected, including the US Treasury Department, the US Department of Homeland Security, NATO, the European Parliament, the NHS and the UK’s Ministry of Defence. It is hard to imagine a more high-profile group of targets.
How the SolarWinds CEO handled the hack
Ramakrishna had been working on a 90-day plan so he could hit the ground running when he joined SolarWinds. That immediately went out the window as dealing with the hack took precedence and his start date was pulled forward.
Many might have panicked but Ramakrishna used his 25 years of experience as a technology leader to take a pragmatic approach. While the hack was unprecedented in scale, he saw it as something that needed to be addressed and learned from.
“It is unfortunate but true that breaches are normal,” he tells Raconteur. “Like any breach, we’re going to address it and move on, but also maybe learn something from it.”
For Ramakrishna, addressing the hack meant focusing on what he calls “first principles”. This means putting people - both employees and customers - first and communicating with transparency.
“You have to focus on your employees and focus on your customers,” he advises. “Many of them will be feeling various emotions and may not have the full details. Your obligation and your responsibility is to give them a sense of calm.”
This meant that even before he officially started as CEO Ramakrishna was meeting with clients, “some of whom were downright angry”. With a breach of this magnitude and customers whose jobs were of national importance, nothing but transparency and humility would do.
“Whether you created the problem or not, it doesn’t matter. You apologise, you tell them what you know and you empathise with them,” he says.
Ramakrishna says certain conversations stick in his memory because he knew there was a real possibility that the person he was talking to might lose their job as a result of the breach.
“You can’t hide in those cases,” he says. “You can’t reason; you can’t create an excuse. So you just accept it, explain what you’re doing for them and, hopefully, deliver on it.”
When it came to the employees, Ramakrishna was very conscious of the timing of the hack. The SolarWinds workforce was, he recalls, gripped by a combination of curiosity and shell-shock. This was the heady mix of emotions they would soon be bringing to the Christmas party before taking time off, not knowing what sort of organisation they might be returning to in the new year.
Here too, clear communication was key and - more importantly still - knowing there was a reliable pair of hands at the helm.
“The previous CEO had been there for 10 years so they could have looked at me like ‘who is this guy?’,” says Ramakrishna. “But my transition was as smooth as I could have hoped. There was no time for introductions. In fact, one of my employees said ‘you didn’t even speak, you just went to work’.”
How the company operated also had to change. In the six months following the attack, new product development was halted while the company focused solely on security. SolarWinds spent millions of dollars investigating the entire business, shoring up any gaps in its security.
Advice for leaders on navigating a crisis
Ramakrishna admits that during a crisis there “there really is no game plan.” There are, however, better and worse ways to respond and, to this end, Ramakrishna has five pieces of advice he believes business leaders can apply to any crisis.
“Trust and transparency go together,” says Ramakrishna. And nothing will be so important or so vulnerable in the wake of a crisis than trust. Customers buy from you or rely on your service from a foundation of trust, so repairing or retaining this must absolutely be your first priority.
“Don’t spin it. Don’t try to hide it under the rug. Be transparent. And transparency means sharing what you know, what you don’t know and what you are doing.”
Once you have a handle on the problem, complement your transparency with urgency. “Do something about it. Have a plan - it may not be the perfect plan, you may iterate on it, but have a plan and execute it.”
A CEO may be held ultimately accountable for what happens within an organisation, but leadership teams were created for a reason: because no one person holds all the answers. “Don’t try to solve the problem all by yourself. Seek help.”
There is little point in investigating the problem, instigating a plan, and getting input from those around you if this information stays within your team. “Communicate and communicate relentlessly,” says Ramakrishna. There is no such thing as too often.
Ramakrishna’s final lesson might be the most difficult to implement, but it is the most crucial, especially when it comes to building trust with employees. “Especially in business situations, you don’t have all the answers. You’re going to learn some things. Be humble about that and don’t get fixated or let biases sink into you.”
These five principles, says Ramakrishna, are what he reminded himself of every day during the aftermath of the attack and are, ultimately, what saw him and SolarWinds through to the other side.
How SolarWinds is thriving post-breach
Almost two years after news of the attack broke, SolarWinds, which has more than 2,000 employees and revenue last year of $718m, is on the road to recovery.
In part this is down to a new focus for its software development. Ramakrishna joined from the security software industry and was a proponent of a framework called ‘secure by design’, where security is considered right from the beginning of development and built into every step of the process. When new product development restarted in mid-2021, this was put at the heart of its work.
This has helped reassure customers. The company’s retention rate was around 90% before the hack. It took a hit in the immediate aftermath but is now back to that level. All nine of the US government agencies hit by the attack are still clients as well.
It is impossible to say how the company might have fared with a different CEO but Ramakrishna seems to have played a key role in building SolarWinds backup.
That doesn’t mean he didn’t question his decision to join. He recalls how quickly messages of congratulations on his new role turned to warnings about what he might uncover when he joined.
“A lot of people said ‘you don’t know what you’re walking into, because you didn’t create it - you can walk away’,” he adds.
In the end, he asked himself whether he would have quit had he found out about the breach a week into the job, rather than a month before joining. His gut said no.
“I looked at it as an opportunity to learn something, an opportunity to serve. The industry has done a lot of good for me, so I thought maybe I should try to give back. I didn’t know whether I’d be successful, but I still thought I should give it a try. There was real fear, though - in some cases, companies don’t survive,” he says.
SolarWinds did, and Ramakrishna is building a reputation for being a steadfast and reliable leader. At a recent forum of CIOs and CEOs in Florida, an audience member came up after hearing Ramakrishna speak and told him: “Now I can see why your company got through this, because you exude trustworthiness.”
Not all CEOs will be unlucky enough to face such a high-profile and potentially damaging crisis during their tenure, but there are always challenges to contend with. If they can follow Ramakrishna’s principles of openness and humility, they may come out the other side a more capable and trustworthy leader.