Why You Need a Cybersecurity Crisis Management PlanA CISO Offers Insights Based on Real-World Experience
Understanding the difference between cybersecurity crisis management and security incident response could be critical to your organization's survival.
See Also: Threat Horizons Report
A security incident response plan focuses on day-to-day security issues, such as routine malware infections and distributed denial-of-service attacks. In contrast, a cybersecurity crisis management plan focuses on actions and processes that must be undertaken to protect and defend the reputation of the organization, its products and its services. Crisis situations could include mass loss of credit card numbers, Social Security numbers, financial information or protected health information.
So what can CISOs do to augment their security incident response plans with cybersecurity crisis management components? Here is some guidance based on my experience in dealing with a breach.
Involve Executive Leadership
In a crisis situation, the CEO and his direct reports are thrust in the forefront of responding to customers, local authorities, business partners and the media. They all want to respond quickly and mean well. However, I have seen them convey contradicting messages or provide too little or too much information that has complicated matters unnecessarily. Therefore, it is essential to train them ahead of time. These leaders need to be familiar with their specific functions and roles during a crisis and need to be able to follow a playbook.
Create Formal Cybersecurity Crisis Management Plan
Either include the following key elements in your incident response plan or preferably create a separate document with:
- Name of executive stakeholders;
- Representation from legal, privacy, compliance and corporate communications;
- Delineation of specific roles and responsibilities for each of the executives;
- Threat matrix with severity levels and associated response protocols;
- Statements for customers, business partners, media and external agencies;
- Pre-crafted communication templates for breach notifications as required by state privacy laws;
- Arrangements to immediately provide identity and credit protection services to affected individuals.
I have found pre-crafted communication templates to be, perhaps, the single most useful element. During a crisis, it's really hard to come up with the right words to communicate with your customers and other interested third parties. In one specific instance in my past, a single notification to customers took over a week to finalize because information security, corporate communications and legal could not agree on the wording
What you say could make or break the organization. So, think through the various scenarios and come up with generic communication templates that have been reviewed by your company's corporate communications, compliance and legal departments.
The creation of the plan is just the first step. The second and more challenging step is to implement the plan across your company, including among senior executives.
Conduct Breach Simulations
Lead the executives and the critical leaders in a table top exercise that simulates a breach scenario. Find a reputable third party to help lead this effort.
An increasing number of companies are offering this service. The offerings range widely in content, format and pricing. Find something that works for you based on your budget and organizational culture. One of the best simulations that I have been part of was led by one of the big name consulting companies. They even had fake news videos showing how the media was reacting to the breach. You may not need to go to this extent, but you should look for a polished presentation that can hold the attention of your executives.
Engage a Forensics Company
Once a breach is detected, there is an extreme amount of urgency in investigating it or mitigating it. Support from forensics experts is generally required. In that moment of crisis, finding a suitable third party and putting together a master services agreement or a statement of work becomes a challenge.
Therefore, it is imperative that a company's information security, compliance and legal departments jointly spend time in evaluating and selecting potential security vendors ahead of time.
Involve Your Legal Team
One of the critical areas of focus during the course of a breach should be on "protecting the privilege." The attorney-client privilege is an invaluable mechanism to protect any sensitive communications or information (such as the cause of the breach or the extent of the loss of information) from being forcibly disclosed by any third parties, including customers, competitors and law enforcement authorities. Without such protection, an organization may be vulnerable to civil or criminal lawsuits. In fact, I have recently seen consulting companies disclose the results of their risk assessments to government agencies. The lawyers in your company will help you ensure that appropriate clauses are included in the MSA and the associated SOWs to keep the attorney-client work confidential.
It's only a matter of time before your organization will find itself in the unfortunate situation of suddenly realizing that it's suffered a targeted breach. Therefore, it's imperative to prepare in advance and be ready to respond in a manner that ensures your customers as well as your organization's own interests are adequately protected. That due diligence can be demonstrated with a formal cybersecurity crisis management plan