Five Ways to Lead through Crisis
Security leaders must lay the proper foundation to successfully survive a data breach.By: Ashley Ferguson
At no time are CISOs more tested, and in danger of losing the confidence of the C-suite, than in a breach crisis. As the headlines continue to pile up in the wake of the global WannaCry ransomware attack, now is a good time to remember that CISOs who resign themselves to "surviving" a breach are at great risk of losing influence, and possibly even their jobs. In contrast, CISOs who cultivate their role as business leaders are often seen as part of the solutions team, not a victim, when a breach occurs.
In the course of hundreds of incident response engagements annually (700+ in 2016), SecureWorks has observed some common denominators among client CISOs who were successful in leading through a breach. Not surprisingly their success had a lot to do with the groundwork they laid ahead of time. I'm a firm believer that it's never too late to get started on the rest of your career, so here are five ways you can take action now to ensure you're positioned to lead through crisis.
#1 Manage Expectations in the Boardroom
Boards often look back on cybersecurity reporting post-incident to determine whether the CISO adequately managed the company's expectations. Get off on the right foot today by driving consensus on the top business risks, e.g. "what would happen to us 'if'," and "what is our tolerance for those risks?" This puts your security priorities in the context of the company's strategy, which is a language everyone at the table can understand. CISOs who garner more credibility with the board also tend to leverage independent assessments to frame their priorities. Some will share a roadmap with the board to help convey progress. Most keep the board up to date on emerging risks in the context of business impact.
Finally, earn more confidence by providing the kind of replicable information that helps board members monitor risk over time. As with financial risk, boards want to monitor how well cybersecurity risk is being managed not just at a point in time, but along a trend line.
#2 Forge Good Partnerships and Keep them At the Ready
Talk to anyone who's been through the fire and they'll agree: "The worst time to negotiate an incident response contract is in the midst of crisis." When push comes to shove, it's far easier to mobilize people who know and understand you, your business risks, and your strategy. Nurture three types of partners so they're "at the ready" when the unexpected occurs:
- Security and IT partners – Consider all the scenarios, not just digital forensics. Have you thought about a phishing site take-down? Gear replacement? Threat intelligence?
- External partners – Think about top business risks. Is credit protection on speed dial? It's also wise to have pre-established relationships with law enforcement agencies, external counsel for privacy issues, cyber insurance, customer call center, and crisis/reputation management specialists.
- Executive partners – Find an executive sponsor in your C-suite today. My own relationship with General Counsel was invaluable when I was a CISO, giving me the benefit of the doubt when there were challenges. We also enabled one another's performance by trading insights on the risks.
#3 Insist on a Dynamic Incident Response Plan
Simply having a plan in place doesn't ensure that you'll have control when a breach becomes a crisis. Incident response plans should be dynamic – or adaptable – to the needs of the business. Your plan is dynamic if you:
- Engage the whole business. Without buy in from all parties, it's unlikely a plan will be executed as intended. Confirm each individual understands his or her role.
- Test communication and ownership in rehearsals. A top failure in crisis is the communication breakdown, especially between CIRTs and Crisis Management Teams. Testing should confirm if individuals understood and executed their roles.
- Make sure the plan is adaptive to business evolution. The plan should be updated as strategy and personnel changes occur. Threats evolve too, so conduct periodic threat assessments and test against the most likely scenarios.
- Resource it appropriately. If a plan can't be executed, it's not a plan. It's just an idea.
#4 Lead With the "Right" (right information, to the right people, at the right time)
In a crisis situation, security leaders must be prepared to get facts as quickly and accurately as possible in order to manage the message, timing and chain of command from the get-go. What CISOs disclose and when can affect them for years into the future. It's a fine balance to avoid escalating before you have enough facts to manage the situation, but escalating too late can have dire consequences. Imagine a board member hearing about the breach for the first time on the news.
The keys to getting the right facts in crisis include: traceability, endpoint visibility, centralized logging and storage, evidence handling, intelligence with context, and forensics. With these capabilities in place, it's more likely you'll be able to get from "we think" to "we know" more efficiently and avoid the types of re-statements that dogged companies in recent high profile crises.
#5 Apply Lessons Learned
What we learn makes us stronger, and a sign of true leadership is when a CISO leads the charge to apply what company learned through the breach crisis (or breach simulation) back into the company. Lessons learned should inform security operations, processes and IR plan for better execution next time. Ask three questions: "What did we learn," "How will we apply those lessons to reduce risk," and "What's the best way to communicate those lessons to the business?"
The CISO role will always be "in the hot seat" when a breach crisis does occur, but those who can demonstrate business leadership as well as cybersecurity risk management are in a better position to avoid "being on the chopping block" instead.