November 16, 2016 By Caleb Barlow 3 min read

You are driving in your car with your 10-year-old son in the passenger’s seat. A ball bounces in front of your car and you hit the brakes hard while simultaneously throwing your arm in front of the child, acting almost automatically. That’s called muscle memory, and it is a big part of what organizations need when responding to cyberattacks.

Cyberattack Defense Is Muscle Memory

When asked how to launch an effective cyberattack defense effort, most people give technology-related answers: Beef up the firewalls, fortify the network, and deploy better intrusion detection and security analytics solutions.

While technology is certainly important, the responses coming from your organization during and following the attack — the human side of the equation — are even more vital. Yet despite a wealth of good advice, I estimate that in 8 of the last 10 large-scale breaches, the response from the organization under attack did as much or more damage than the attack itself. Most of that damage was reputational.

Why is that? Very few C-level executives have been trained in crisis leadership. They seldom have to make urgent decisions in near-real time. The usual practice is to build a team around executives to provide input. They carefully study these inputs and weigh them against other information to develop a set of options. Eventually, they fashion a response. This could happen days or weeks later — or, in some cases, not at all.

The Worst Response Is No Response

That explains why the response to a major breach is so often little or no response at all. Often the blame is directed at some vague state-sponsored source when, in reality, the company has no legitimate suspects because attribution is very difficult. That’s when problems arise beyond the actual damage from the breach. Customers worry about their personal information. Suppliers and partners get antsy. Tort lawyers start to circle overhead. Confidence in the organization drops while suspicion mounts.

Most all of this post-attack damage is avoidable and unnecessary. First, all organizations must presume that they will fall victim to a major breach at some point. There is no safe harbor, as should be evident to anyone listening to the news these days.

Second, the management team needs to undergo in-depth training in crisis management when an attack does happen. This team needs to prepare and rehearse responses for customers, suppliers, regulators, the media and the board. Of the 50 states in the U.S., for example, 47 of them have their own unique breach disclosure laws. You must develop a plan in advance that comply with these laws specific to any states in which you do business. These responses must be ingrained as executive muscle memory.

Filling the Gaps

To help IT professionals thoroughly prepare to deal with cyberattacks, IBM opened its X-Force Command Center (XFCC), a simulator designed to train executives in the crisis leadership skills they’ll need to respond to a breach. In the all-day course at the XFCC, teams will first experience a highly realistic, simulated cyberattack. They’ll be exposed to the variety of ways the technical staff tries to detect and stop the attack and then swing into recovery mode.

Participants will spend the second half of the day planning the proper response steps and rehearsing them. The central idea is to infuse executives with the confidence and experience of doing something that their MBA training and business experience likely failed to address. Leadership during a cyberattack defense effort requires a full-throttle response in hours, not days or weeks.

Discover How IBM X-Force Command Centers Are Changing Security

A Predetermined, Definitive Response

Think back to the Tylenol scandal of 1982, when criminals tampered with bottles and laced the pain-relieving pills with poison that killed several people. Tylenol’s maker, Johnson & Johnson, immediately removed the product from all store shelves, even though there was no indication of a manufacturing problem. The parent company trusted its brand to survive such a hit, and indeed it did. The company was widely applauded for its leadership in a time of crisis and its near-instant response.

Breaches will continue to happen, possibly even at an accelerated pace, given the growing interconnectivity all around us and the expanding threat surface that comes with it. The worst thing a company can do in response is what so many end up doing — nothing. Instead, be prepared to meet the crisis with predetermined, definitive responses.

Learn More

Interested in learning more about how IBM’s X-Force Command Centers will help clients stay ahead of the most advanced threats?

More from CISO

Making smart cybersecurity spending decisions in 2025

4 min read - December is a month of numbers, from holiday countdowns to RSVPs for parties. But for business leaders, the most important numbers this month are the budget numbers for 2025. With cybersecurity a top focus for many businesses in 2025, it is likely to be a top-line item on many budgets heading into the New Year.Gartner expects that cybersecurity spending is expected to increase 15% in 2025, from $183.9 billion to $212 billion. Security services lead the way for the segment…

On holiday: Most important policies for reduced staff

4 min read - On Christmas Eve, 2023, the Ohio State Lottery had to shut down some of its systems because of a cyberattack. Around the same time, the Dark Web had a “Leaksmas” event, where cyber criminals shared stolen information for free as a holiday gift. In fact, the month of December 2023 saw more than 2 billion records breached and 1,351 disclosed security incidents, according to research from IT Governance — an increase of 332% and 187%, respectively, over the month of…

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today