Most CISOs now plan on the basis that a cyber-attack or data breach will happen, but there is still work to do to if organizations are to survive a crisis and recover, warned industry experts.
Effective cyber crisis management is a key part of resilience. According to a panel of CISOs and cyber experts at Infosecurity Europe, security leaders need to develop, update and above all rehearse their crisis management plans.
These plans aren’t just technical in nature: they need to cover command-and-control, communications, and even the wellbeing of the teams responding to the incident.
High-profile cyber-incidents, including ransomware, as well as the global pandemic, have forced boards to pay more attention to both resilience and recovery.
“We now talk in the language of when not if,” said Paul Watts, distinguished analyst and vCISO at the Information Security Forum. “The reality is, it happens to everybody.”
Effective incident response plans, however, need to be clear, comprehensive and communicated to all stakeholders. Plans also need to be practiced, or as the panel put it, “exercised.”
“The reaction of the company really does depend on maturity and how well exercised people are,” said Jennifer McGhee, CISO at Element Materials Technology.
Cyber professionals have a “very solid understanding” of what needs to happen during an incident.
“But that's not necessarily intuitive to people working in the business or intuitive to a board that haven't been in that position before. It is our job as cyber leaders to communicate that to the business, to communicate it to the board so that people are expecting it,” McGhee explained.
Leave it to the Pros
One of the hardest parts of crisis response can be convincing senior leaders, and the board, to step back and let the experts handle the situation. This requires a good plan, but also a good relationship with the business and effective communication before a crisis hits.
“One of the hardest things I've had to do, when I worked at a previous company, was tell my CEO not to do anything and to sit on his hands,” said Stuart Seymour, group CISO and CSO at Virgin Media o2.
“Senior leaders, when they see something on fire, want to put their cape on and fly in to save the day themselves,” he said.
An effective strategy, and one Seymour followed when he arrived at Virgin Media o2, was to meet all the senior executives “in peacetime.” That way, the relationships and communications channels were there before a crisis hit.
Preparing for a crisis also means involving stakeholders in planning – including PR, customer communications, legal and HR – and keeping plans under review.
“It only works if you don't write up the plan, put it in a cupboard and then only ever revisit it when there’s an incident,” cautioned McGhee. “It's fine to have plans and policies and procedures, but they're only as good as how well you've tested them and exercised them.”
Value From a Crisis
Meanwhile, Tomas Roy, director of the Cybersecurity Agency of Catalonia, advised that transparency is key to an effective crisis response.
Organizations can also learn from a crisis. It reveals weak spots, improves collaboration and, assuming the organization can recover, ensures cyber is more firmly on the agenda. “All incidents are an opportunity,” he said.