Panic, anger, and frustration are common reactions among C-suite executives and board members after a cyberattack.
While companies that have well-established response plans, along with a culture that avoids blame, are better equipped to overcome cyber events, such preparedness is not the norm. Sometimes, the response from the C-suite and board of directors is direct and emotionally charged. Emotions can run high, leading to an urge to assign blame. Additional, the initial response might involve throwing money at the problem. In extreme cases, there could even be decisions to fire members of the incident response team or CISOs.
It doesn’t help that CISOs – often the bearer of bad news – aren’t always that adept at effective communication. According to a recent survey from the RSAC Executive Security Action Forum, 58% of CISOs said they struggle to communicate technical language to senior leadership in a way they can understand, while 82% admitted to feeling pressured to make things sound better than they are when addressing the board.
Given these challenges, what is the best way to ensure that the C-suite’s reactions remain favorable when confronted with a cybersecurity crisis?
Common Post-Incident Reactions
In the aftermath of a cyber incident, cybersecurity professionals could experience one or more of the following reactions from leadership.
The ‘heads will roll’ mentality
As decision-makers increasingly recognize that no company is immune to cyberattacks, they are less likely to kill the messenger, although it does still happen. The outcome may not always be to fire the CISO; instead, they could fire or reassign incident response team members. However, it’s not a good idea to pull that trigger too quickly, said Renee Guttman, a virtual CISO who has previously served as CISO for Coca-Cola, Campbell Soup, and Carnival.
Guttman recalled an incident from several years ago when, after a cyber event, cybersecurity team members asked a company leader if their jobs were at risk. “They said they weren’t going to spend the next three months under their desks trying to fix it if they were just going to be fired,” she said. “That person then convinced the CEO to refrain from firing people over the event.”
A full range of emotions
While panic, anger, and frustration are natural responses, they result in misguided efforts and wasted time. “They start taking their eyes off the ball when all that matters at the moment are restoring operations and getting back to normal steady state,” said Andrew Morrison, a partner and principal at Deloitte.
When an incident occurs, it’s fairly common to try fixing the problem by spending money. Investments could be made on forensics, mitigation, external public relations, and the like. This approach isn’t always a bad idea because nobody can be expected to work around the clock without support from external resources.
Cybersecurity service providers typically have the necessary expertise, resources, and know-how for working with external communications and outside counsel. “It’s amazing how, after an attack, things that were considered unaffordable magically become affordable, and it can open the floodgates for spending on ways to strengthen defenses and do assessments,” Morrison noted.
How To Weather the Storm
There are several steps companies and their CISOs can take to lessen the severity of leadership’s reactions.
Establish clear decision-making authority
One key step is to establish clear lines of authority for decision-making in a cybersecurity crisis. Morrison illustrated this point with an anecdote: “During a postmortem, the cybersecurity team discovered that taking the entire entity offline a few hours earlier would have saved a large sum of money in terms of the cost of the breach. The CISO didn’t do that, assuming that making a decision of that magnitude required the CEO’s permission. The CEO responded that he thought the CISO knew he had permission.”
Keep CISOs informed
CISOs should always be kept in the loop, said Brian Johnson, former CISO of Armorblox (before its acquisition by Cisco) and now a virtual CISO. Failure to do so could result in missing clues that might have steered cybersecurity efforts toward preventing an incident altogether.
“If the CISO didn’t know about an acquisition that might impact certain things, a product launch, or a key staff member leaving, they can’t do their jobs as effectively,” Johnson said.
Engage with the Board
Johnson recommended establishing a regular presence in front of the board. “If the board doesn’t know who you are, doesn’t call you by name, or [know] how to contact you, it’s more likely that you’ll be a scapegoat.”
Prepare for cyber events
It’s critical to prepare in advance. Johnson suggested doing a tabletop exercise to take the C-suite through a bad day. The exercise should be done two to four times a year, incorporating different scenarios each time. One scenario might involve entering a meeting and reporting that a major supplier was breached overnight, exposing all the company’s intellectual property.
Cover all aspects, including PR and legal responses, interactions with the board, and what appropriate communication would look like, Johnson said. “All of those things generate high friction, and practicing is the best way to avoid that friction.”
Get a playbook
Preparation should be based on a proper playbook. “If you have an appropriate playbook with clearly defined roles and [you] routinely practice it, you’ll be better able to reassure the C-suite that you followed the playbook and … have taken the appropriate steps to contain the issue,” Guttman said. With practice, CISOs can confidently delve into investigating the root cause and remediating the issues that contributed to the event.
Guttman recommended using available resources to formulate your strategy and playbook, including the National Association of Corporate Directors’ Handbook on cyber risk oversight, and A CISO’s Guide to Legal Risks and Liabilities from Team8 (particularly the section on conflict resolution).
Furthermore, Jamie Singer, managing director for cybersecurity and data privacy communications at FTI Consulting, suggested building a “communications playbook” as a means of reinforcing message consistency, which she said is critical during a cybersecurity crisis. The playbook should be a collaborative effort involving inputs from a cross-functional messaging and communications response team. The playbook should contain messaging strategies related to customers, the media, employees, investors, and so forth.
5 Communication Tips During a Cybersecurity Crisis
Learning effective communication is critical for constructive interactions, but it’s relatively rare to get it right. An FTI survey found that more than half of cyber executives consider managing communications with internal and external stakeholders to be the top challenge when responding to an incident.
#1. Take a class to improve communication skills
Guttman suggested that cybersecurity professionals go so far as to take courses in effective writing, public speaking, or even acting. These classes can help CISOs understand what does and doesn’t work, as well as how to convey information thoughtfully. “Treat it like you were being subpoenaed,” she said. “I was provided with an acting class and filmed so I could look at my nonverbal cues. It was definitely valuable.”
#2. Keep discussions at a high level
Be very clear and concise and learn to speak their language, Singer added.
“If you get into the technical needs of the archetype of a ransomware attack, for example, you will lose folks,” Singer explained. “Instead, keep it at a high level: What happened, what are we doing about it now, and what can we do in the future to prevent it? I don’t think they need to necessarily know about all the ins and outs of endpoint detection and multifactor authentication.”
#3. Be empathetic
Empathy is underrated, said Taylor Lehmann, director of Google Cloud Health’s Office of the CISO.
“Other than communication, empathy is probably the most important thing, but people sometimes fail to take it into account,” Lehmann noted. “Some people experience issues differently, and sending low empathy messages doesn’t reassure anyone.”
Being empathetic requires looking at things from different points of view. Different stakeholders are affected differently, which makes it important to acknowledge these differences and rebuild trust.
#4. Resist the urge to assign blame
Google Cloud Health is keen on what Lehmann referred to as a “blameless postmortem,” which is conducted after the cyber event has been resolved and empathy has been communicated. The postmortem contains everything you would expect – the way the event was handled, whether the team responded as planned, whether the playbook worked, etc. – all without assigning blame.
Lehmann learned that blameless postmortems are highly effective during his first few months on the job. “Log4J happened when I had only been at Google for a handful of months, and I remember thinking that [the blameless postmortem process] is why I do all of this stuff,” he said. “This culture, which appreciates openness and protects and encourages frank dialog about what went well and what didn’t, really enables effective growth and improvement.”
#5. No coverups
Finally, a piece of advice about what not to do.
Under no circumstances should you conceal, evade, or try to cover up the cyber event, Johnson stressed. “No matter what you do, word will get out. You don’t want that to happen too long after the incident happened because you will have lost all credibility, both with the board and the public.”
About the authorKaren D. Schwartz is a technology and business writer with more than 20 years of experience. She has written on a broad range of technology topics for publications including CIO, InformationWeek, GCN, FCW, FedTech, BizTech, eWeek and Government Executive.