So far in this organizational resilience journey, we have focused mainly on the planning phase, or, as some call it, ‘left of the boom’. For a moment, let’s look at a ‘right of the boom’ (post-incident) theme: crisis management (CM), an important component of your cyber resilience planning.
A good CM plan will be part of a larger governance cybersecurity framework (a topic that we look at in the next piece) and has an emphasis on a vital attribute: communications. Carrying out a CM plan requires knowing roles and responsibilities, when to escalate, when to act, and what (and what not!) to say.
How Cyber Resilience Is Like a Movie
Imagine an incident or cyber resilience crisis to be like a movie. First, you will be introduced to characters (roles). Then, you will learn to understand how they interact (responsibilities). You will then see them respond to an incident (escalation). And finally, see how they respond (act).
In your typical CM plan, your cast of characters will include your security operations center analysts, incident response (IR) team members, supervisors, the chief information security officer, the C-suite, board, general counsel, communications staff and even external partners (think public relations firm, external counsel, external IR consultants, third-party vendors, law enforcement and even news agencies). All these characters have a role to play.
Let’s go back for a moment to the governance issue. If you are running in a disparate manner, the phase after the incident will feel like chaos while your precious data is being stolen or destroyed. It’s like a movie with no script, no character arcs, and the only thing you know for certain is that something bad will happen.
A Boring Movie Is a Better Movie
CM planning is like writing a movie script. Sure, you may make some changes along the way, but for the most part, the story is set. Your CM plan maps out:
- Roles and responsibilities
- Interactions between parties
- Escalation measures and decision matrix
- Activating involvement
With all this mapped out so well, you may be wondering ‘why am I watching a movie if I know what’s going to happen?’ That’s the point. Boring is your friend when it comes to cyber resilience. You want your CM process to be more like a sleepy, lame comedy with bad, anticipated jokes as opposed to an edge-of-your-seat, crash-boom-bang, universe-obliterating action movie.
Know Your Role and Figure Out How to Interact with Others
Unlike the movies, real life does not have a hero that will handle all crisis management tasks. If there is ever a time for a team game, right of the boom is it. You don’t want a deer caught in the headlights moment or a turf war; or worse, a mix of both. Therefore, know your characters and understand how they interact. In a previous piece, we noted the importance of exchanging business cards prior to the incident. Do that.
Remember this: a crisis will be stressful and it is very likely you will run into a resource crunch, or, worse, staff burnout. A crisis is not the time to play the hero. By assigning responsibilities, not only do you know who is supposed to cover what, you benefit from two important points:
- You can spot existing resource gaps
- You can find areas that will require surge support.
You’re preparing for a right of the boom problem, but, in the process, improving left of the boom posture. That’s a double score!
Without defining roles, responsibilities, interactions and communication, you ‘don’t know what you don’t know’. Start figuring this out and get everyone on the same page for better cyber resilience.
Escalation, Decisions and Cyber Resilience on the Screen
‘Best judgment’ is bad judgment in the case of escalation. In fact, you want the exact opposite when it comes to cyber resilience. Understand your organization’s legal and regulatory requirements and start building your escalation requirements from there. For example, the Security Exchange Commission (SEC) is coming down hard on disclosure requirements. Recent settlements and Consent Orders are highlighting this issue. Do not get caught flat-footed. Breaches are bad, and SEC investigations and fines make them worse.
Understand that sometimes you may only have 72 hours to get in front of a camera or file a Form 8-K if you are a publicly traded organization. Therefore, you want your escalation and decision-making process as repeatable as possible. Through this process, you’ll know when to activate your crisis communication staff, when to engage your external counsel and all the other ‘fun’ stuff. Remember, boring is your friend. Narrow the surprises to the incident, not to the process.
Pro tip: CISOs, your soft skills during a crisis will be vitally important, so get to know the cast and the business very well.
Scripts and Aids for Cyber Resilience
When emotions are running high during a crisis, the last thing you want to do is scramble. Therefore, scripts, sometimes known as holding statements, help boost cyber resilience. The same is true for job aids, tailored to specific roles. Think of these as cheat sheets.
- For holding statements, you want to work with your crisis communications team to ensure they make these detailed enough to get the necessary — and right — information out to the appropriate stakeholders (internal and external). But make sure these statements are not so rigid people can’t adapt them to the crisis. Remember, you need messages for all types of platforms your stakeholders normally use. If your stakeholders use phone calls, social media blasts may not work.
- For job aids, it’s like handing your cast a memory card that lists out very tactical ‘do this’ type activities. Think one or two pages max, with all vital information, such as contact information, roles, responsibilities and decision options, there.
Test and Update
Testing and training is a theme that will receive its own piece later in the series, but you absolutely need to run the cast through the wringer in some sort of regular fashion to build up muscle memory. There is also an added benefit: you can update your plans, especially if there have been changes in personnel and contact information.
No cybersecurity resilience framework or business continuity plan is complete without a crisis management plan. It’s the first plan you will activate right of the boom and it’s critical to cyber resilience, so get it right. After all, getting it wrong is costly.
In the next piece, we will look at the importance of governance, ensuring an organization is operating in lockstep.