A Consequential Hire at a Consequential Company
SolarWinds has appointed Justin Henkel as its Chief Information Security Officer, promoting him into one of the most scrutinized security roles in the industry. Henkel joins from the privacy and governance platform OneTrust, where he was deputy CISO, and he arrives with an unusual dual background: 25 years as an intelligence officer in the United States Air Force layered onto commercial security leadership. That combination of national security instinct and enterprise pragmatism is precisely the profile a company in SolarWinds' position needs.
The context is impossible to ignore. SolarWinds is the vendor whose Orion platform was weaponized in the Sunburst campaign, an intrusion attributed to a nation state that turned a trusted software update into a delivery mechanism for espionage against government agencies and Fortune 500 firms. More than five years later, the company still carries that history. The CISO who holds the badge is not just defending SolarWinds, he is a living argument about whether the company has genuinely changed.
The Long Shadow of Sunburst
Sunburst did not just breach one company, it rewrote the enterprise threat model. It taught boards that the software they trust most, the tools with privileged access across the network, are exactly the tools an adversary most wants to poison. It accelerated the entire software bill of materials movement, hardened build pipelines across the industry, and made supply chain risk a standing agenda item for CISOs everywhere. SolarWinds became the case study taught in every security program.
That legacy cuts two ways for the new hire. On one hand, few companies have invested as visibly in secure development since their worst day. On the other, the bar for SolarWinds is permanently higher than for its peers, because any future incident will be read against the original one. Henkel inherits both the machinery that has been built and the burden of proof that never fully lifts. His job is to keep demonstrating, quietly and continuously, that the lesson took.
What Henkel Actually Brings
Coming from OneTrust is a meaningful signal. Privacy and governance tooling forces a leader to think in terms of data flows, consent, and provable controls, the connective tissue between security and regulatory accountability. As enterprises face tightening rules on breach disclosure, data handling, and AI governance, a CISO fluent in that language is more valuable than one who only speaks in terms of firewalls and endpoints. Henkel's OneTrust tenure suggests he can operate at the intersection of security and compliance where much of the modern risk lives.
His military intelligence background adds a different muscle. Two and a half decades of intelligence work instills a discipline around adversary intent, attribution, and the patience of sophisticated actors. For a company that was targeted by exactly that kind of adversary, an instinct for how nation state operators think is not a nice to have. It shapes how you prioritize, how you hunt, and how seriously you take the low and slow signals that automated tooling tends to miss.
Secure by Design as a Standing Commitment
Since Sunburst, SolarWinds has publicly committed to a Secure by Design posture, rebuilding how it develops, signs, and ships software with parallel build systems and tighter integrity controls. That work is the substance behind the reputation project, and it is the foundation Henkel now owns. The value of a CISO in this setting is not to invent the program from nothing but to sustain it, evolve it against new threats, and keep it honest as commercial pressures push for speed.
We would argue the harder challenge is cultural rather than technical. Secure development practices decay when they become box ticking, and the discipline that follows a crisis tends to erode as the crisis recedes in memory. Keeping an organization tense in the right way, years after the event that scared everyone, is the real test of security leadership. That is the fight Henkel is signing up for, and it is largely invisible until the day it fails.
Rebuilding Trust Is a Product, Not a Press Release
The uncomfortable truth for any breached vendor is that trust, once broken, cannot be restored by communications. It is rebuilt through the accumulation of uneventful quarters, transparent disclosures, and a security posture that customers and auditors can actually inspect. SolarWinds has leaned into transparency about its practices since Sunburst precisely because opacity is what breeds suspicion, and a CISO in this environment functions partly as the public face of that openness, someone customers can question and hold to account.
That external dimension makes the role unusual. Most security chiefs operate largely inside the organization, answerable to the board and the regulators. Henkel will also be answerable, implicitly, to a customer base that watches SolarWinds more closely than it watches almost any other vendor, and to an industry that treats the company as a bellwether. Handling that scrutiny well, neither defensive nor complacent, is a communications and leadership skill as much as a technical one, and it is part of why the appointment carries weight beyond the org chart.
A Symbol for the Whole Supply Chain
Every enterprise now depends on software it did not write and cannot fully inspect. SolarWinds sits at the emotional center of that dependence, which gives its security leadership a symbolic weight out of proportion to the company's size. When SolarWinds hires a CISO, buyers across the industry read it as a barometer of how seriously the software supply chain is being taken. This appointment reads as a serious one.
For security leaders elsewhere, the takeaway is about resilience of reputation as much as systems. A breach does not have to be terminal if the response is credible, sustained, and staffed by people who understand what went wrong. Whether Henkel succeeds will be measured not in a single quarter but in the long absence of a second headline. In supply chain security, the best outcome is a story that never gets written.



