So far in this organizational resilience journey, we have focused mainly on the planning phase, or, as some call it, ‘left of the boom’. For a moment, let’s look at a ‘right of the boom’ (post-incident) theme: crisis management (CM), an important component of your cyber resilience planning.

A good CM plan will be part of a larger governance cybersecurity framework (a topic that we look at in the next piece) and has an emphasis on a vital attribute: communications. Carrying out a CM plan requires knowing roles and responsibilities, when to escalate, when to act, and what (and what not!) to say.

How Cyber Resilience Is Like a Movie

Imagine an incident or cyber resilience crisis to be like a movie. First, you will be introduced to characters (roles). Then, you will learn to understand how they interact (responsibilities). You will then see them respond to an incident (escalation). And finally, see how they respond (act).

In your typical CM plan, your cast of characters will include your security operations center analysts, incident response (IR) team members, supervisors, the chief information security officer, the C-suite, board, general counsel, communications staff and even external partners (think public relations firm, external counsel, external IR consultants, third-party vendors, law enforcement and even news agencies). All these characters have a role to play.

Let’s go back for a moment to the governance issue. If you are running in a disparate manner, the phase after the incident will feel like chaos while your precious data is being stolen or destroyed. It’s like a movie with no script, no character arcs, and the only thing you know for certain is that something bad will happen.

A Boring Movie Is a Better Movie

CM planning is like writing a movie script. Sure, you may make some changes along the way, but for the most part, the story is set. Your CM plan maps out:

  • Roles and responsibilities
  • Interactions between parties
  • Escalation measures and decision matrix
  • Activating involvement
  • Messaging
  • Reporting.

With all this mapped out so well, you may be wondering ‘why am I watching a movie if I know what’s going to happen?’ That’s the point. Boring is your friend when it comes to cyber resilience. You want your CM process to be more like a sleepy, lame comedy with bad, anticipated jokes as opposed to an edge-of-your-seat, crash-boom-bang, universe-obliterating action movie.

Know Your Role and Figure Out How to Interact with Others

Unlike the movies, real life does not have a hero that will handle all crisis management tasks. If there is ever a time for a team game, right of the boom is it. You don’t want a deer caught in the headlights moment or a turf war; or worse, a mix of both. Therefore, know your characters and understand how they interact. In a previous piece, we noted the importance of exchanging business cards prior to the incident. Do that.

Remember this: a crisis will be stressful and it is very likely you will run into a resource crunch, or, worse, staff burnout. A crisis is not the time to play the hero. By assigning responsibilities, not only do you know who is supposed to cover what, you benefit from two important points:

  • You can spot existing resource gaps
  • You can find areas that will require surge support.

You’re preparing for a right of the boom problem, but, in the process, improving left of the boom posture. That’s a double score!

Without defining roles, responsibilities, interactions and communication, you ‘don’t know what you don’t know’. Start figuring this out and get everyone on the same page for better cyber resilience.

Escalation, Decisions and Cyber Resilience on the Screen

‘Best judgment’ is bad judgment in the case of escalation. In fact, you want the exact opposite when it comes to cyber resilience. Understand your organization’s legal and regulatory requirements and start building your escalation requirements from there. For example, the Security Exchange Commission (SEC) is coming down hard on disclosure requirements. Recent settlements and Consent Orders are highlighting this issue. Do not get caught flat-footed. Breaches are bad, and SEC investigations and fines make them worse.

Understand that sometimes you may only have 72 hours to get in front of a camera or file a Form 8-K if you are a publicly traded organization. Therefore, you want your escalation and decision-making process as repeatable as possible. Through this process, you’ll know when to activate your crisis communication staff, when to engage your external counsel and all the other ‘fun’ stuff. Remember, boring is your friend. Narrow the surprises to the incident, not to the process.

Pro tip: CISOs, your soft skills during a crisis will be vitally important, so get to know the cast and the business very well.

Scripts and Aids for Cyber Resilience

When emotions are running high during a crisis, the last thing you want to do is scramble. Therefore, scripts, sometimes known as holding statements, help boost cyber resilience. The same is true for job aids, tailored to specific roles. Think of these as cheat sheets.

  • For holding statements, you want to work with your crisis communications team to ensure they make these detailed enough to get the necessary — and right — information out to the appropriate stakeholders (internal and external). But make sure these statements are not so rigid people can’t adapt them to the crisis. Remember, you need messages for all types of platforms your stakeholders normally use. If your stakeholders use phone calls, social media blasts may not work.
  • For job aids, it’s like handing your cast a memory card that lists out very tactical ‘do this’ type activities. Think one or two pages max, with all vital information, such as contact information, roles, responsibilities and decision options, there.

Test and Update

Testing and training is a theme that will receive its own piece later in the series, but you absolutely need to run the cast through the wringer in some sort of regular fashion to build up muscle memory.  There is also an added benefit: you can update your plans, especially if there have been changes in personnel and contact information.

No cybersecurity resilience framework or business continuity plan is complete without a crisis management plan. It’s the first plan you will activate right of the boom and it’s critical to cyber resilience, so get it right. After all, getting it wrong is costly.

In the next piece, we will look at the importance of governance, ensuring an organization is operating in lockstep.

More from Endpoint

Unified endpoint management for purpose-based devices

4 min read - As purpose-built devices become increasingly common, the challenges associated with their unique management and security needs are becoming clear. What are purpose-built devices? Most fall under the category of rugged IoT devices typically used outside of an office environment and which often run on a different operating system than typical office devices. Examples include ruggedized tablets and smartphones, handheld scanners and kiosks. Many different industries are utilizing purpose-built devices, including travel and transportation, retail, warehouse and distribution, manufacturing (including automotive)…

Virtual credit card fraud: An old scam reinvented

3 min read - In today's rapidly evolving financial landscape, as banks continue to broaden their range of services and embrace innovative technologies, they find themselves at the forefront of a dual-edged sword. While these advancements promise greater convenience and accessibility for customers, they also inadvertently expose the financial industry to an ever-shifting spectrum of emerging fraud trends. This delicate balance between new offerings and security controls is a key part of the modern banking challenges. In this blog, we explore such an example.…

Endpoint security in the cloud: What you need to know

9 min read - Cloud security is a buzzword in the world of technology these days — but not without good reason. Endpoint security is now one of the major concerns for businesses across the world. With ever-increasing incidents of data thefts and security breaches, it has become essential for companies to use efficient endpoint security for all their endpoints to prevent any loss of data. Security breaches can lead to billions of dollars worth of loss, not to mention the negative press in…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today