Historically speaking, having a plan of attack has gotten a bad rap.
Helmuth von Moltke the Elder, who famously said, “No plan survives contact with the enemy,” shared that sentiment with a predecessor in war, Napoleon Bonaparte, who said, “I never had a plan of operations.” Eisenhower warmed up to planning a bit: “In preparing for battle, I have always found plans useless, but planning indispensable.” Legendary management consultant Peter Drucker is widely quoted as having said, “Plans are only good intentions unless they immediately degenerate into hard work.”
Fortunately, planning continues to have some value for the rest of us, and our troops and first responders are spending as much time drilling as they spend responding to events. Of course, this applies to our line of work as well. Like many business processes, incident response is often addressed by evoking a virtuous cycle: prepare, detect, contain, eradicate, recover and improve.
To respond to incidents effectively, we need to have a dynamic, adaptable plan that we are well-prepared to execute. The detection, containment and eradication phases typically get the most attention. The process starts with assessments, such as the 2019 Cost of a Data Breach Report, and naturally leads to an inspection of organization preparedness across industries. There are many ways to prepare the technical steps needed to contain and eradicate an attack once it is detected, including one of my favorite new tactics: the cyber range.
It’s also worthwhile to plan our responses to the non-technical aspects of incidents. Being prepared in advance to take timely, prudent steps to contain public relations, regulatory, criminal and financial fallout can pay off handsomely by decreasing after-incident costs and recovery time. This level of preparation requires that you plan out two crucial steps: notification and escalation. You need to know in advance how to notify the right parties about the events as they transpire and when to escalate issues.
Incident Communication Is a Crucial Part of Incident Response
Let’s deal with notification first, since escalations often deal with conflicts over notification. Regardless of the issue, when it gets to its full escalation point, the specific actions the decision-maker needs to take must be articulated fully.
We’re using notification here as a one-word shorthand for external incident communications. External in this context means external to the incident — referring to stakeholders who are not directly involved in incident response orchestration and not receiving regular tactical updates.
The first step is to list all external stakeholders who need to be informed about an incident, in whole or in part. This list should include the obvious, such as employees, customers and senior leadership — as well as the board of directors if the situation warrants it. The list also should probably include law enforcement or even the press, if necessary. Finally, less obvious parties, such as suppliers, regulators and your insurance carrier(s) should be on the list as well.
Before you proceed beyond this step, confirm with senior leadership that the list of stakeholders and details to be released in each incident communication template is appropriate and that the notifications will be supported.
Once you identify who needs to be notified and approve the particulars, the next step to tackle is determining what the notifications should say. Each stakeholder should get a sense of their role in the situation from your communications. Employees, public relations (PR), senior leadership and the board will all be responsible for taking different actions on behalf of customers and will therefore need different types and amounts of data. The same goes for customers versus suppliers and law enforcement versus regulators. Think these communications through and check with different stakeholders to ensure that they will have the information they need in the event of a breach.
Include the right people at the front end of the process. Use your customer-focused leadership to help create the templates for customers, use your legal team to help with law enforcement and regulators, and use third-party relations to help with suppliers and vendors. Pull in your PR team and your legal team to help you craft public notifications for the press or social media.
When you’ve identified what’s needed for each stakeholder, your next step is to create communication templates and confirm with your stakeholders that the templates you’re creating will meet their needs. This preparation might not seem critical to handle in advance, but when some public forum is used to discuss or amplify the issue, your ability to respond rapidly will equip your stakeholders with the right information for that moment. Hopefully, this will enable you to de-escalate the issue and help your organization keep control of the narrative.
Plan Your Communications to Stay Calm and Avoid a Crisis
To get those notifications out to the stakeholders you identified in situations of pressure, it helps to define your escalation paths in advance. Determine who needs to approve the messaging at the time, find out who the backup is, and determine who makes the decision to reboot a server or take a critical service offline. You should document what happens if these people are not available when an incident occurs and identify the next person in line and how to reach them.
If you are responsible for safeguarding protected health information or nonpublic financial information — or you have contracts that would trigger breach notification laws — you need to understand the thresholds and work with your legal partners to establish notification pathways for regulators. Also, identify your appropriate law enforcement notification channels. When it comes to notifying regulators and law enforcement, lean on your legal partners. They can also help identify situations where advance deliberations would be best conducted under privilege.
One final point on escalation: it’s not meant to get people in trouble, overrule them or go around them. The reason we escalate is to enable quick and efficient decision-making, and this involves informed authority. Informed authority means identifying the right experts to advise senior leaders when fast decisions are necessary. Give ample thought to the support that a senior leader may need as they make decisions during an escalation.
Now that you have done the hard work of planning how you will notify and escalate during an incident, you can stay calm with the knowledge that your incident response plan is ready.
President, CISO DRG, Inc.