Develop muscle memory, and patience, through simulations: Authority under crisis is meaningless if you can’t establish followership. And this goes beyond the incident response team: CISOs must communicate with the entire organization, a commonly misunderstood imperative, says Pablo Riboldi, CISO of nearshore talent provider BairesDev.”I find that employee involvement tends to be overlooked during cyberattacks. Many times, employees aren’t even aware of their role during a crisis, which can create chaos when things go sideways,” says Rioboldi, who advises regular training in the form of staff simulations and tabletop exercises to prepare the company and make everyone feel more confident.James Ngui, sales engineering director at Trend Micro, also recommends simulations, particularly those that mimic the emotional intensity of actual incidents, as stress and pressure during a security incident can negatively impact team performance.”Organizations should provide training on stress management and decision-making under pressure, which includes perhaps mental health support resources in the incident response plan,” Ngui says.Larry Lidz, vice president of CX Security at Cisco, also advocates for tabletop exercises as a way to get employees to “look at problems through a different set of lenses than they would otherwise look at them.”Lidz led a simulation of a flu-based pandemic at a previous company, which came in handy during COVID-19. Although some of their assumptions were incorrect, they were able to quickly adjust to working remotely and maintaining business continuity based on their previous exercise.Lidz suggests all levels of the organization, including the technical team and senior leadership, conduct tabletop exercises. He also recommends a combined simulation where the technical team is in one room, executives are in another, and each group has to wait on the other before deciding what action to take next.”One of the most difficult things that I see executive leaders deal with during security incidents is the need to be patient. When we’re dealing with security incidents, there’s a ton of unknowns, and there’s a ton of analysis that needs to go on. Sometimes that means the right thing for an executive to do is sit and wait for that next update,” Lidz explains.Linux Foundation’s Robinson is another proponent of tabletop exercises. He says that his organization runs simulations for its open-source upstream projects so that people understand what is required of them in the middle of a crisis. “It helps develop some muscle memory so that when the red phone rings, they at least are familiar with the terms and what they need to do,” he says. Maintain calm in the face of the storm: Remaining calm in the face of a cyberattack can be challenging, but prime performance requires it, New Relic’s Gutierrez says. “There’s a lot of reaction. There’s a lot of strong feelings and emotions that go on during incidents,” Gutierrez says.Although they had moments of not maintaining composure, Gutierrez says they have been generally calm under cyber duress, which they take pride in. Demonstrating composure as a leader under fire is important because it can influence how others feel, behave, and act.”That really helps with not just your teams, but also senior leaders, senior management, other stakeholders across the company, and your board and sometimes with your customers,” Gutierrez says.eSentire’s Crowley says that another pitfall is not getting too lost in the technical details. “The CISO should not be the hands-on keyboard person during an incident response. Those responsibilities should fall to others on the response team,” he says.Crowley analogizes the CISO to the military leader who should survey the battlefield. “The CISO needs to know that their role is to be that composed leader in charge. They need to be focused on leading the team, setting the strategy, bringing in external support, clearing roadblocks, answering questions, and communicating,” he says, emphasizing that cybersecurity incidents have their own “fog of war.”
Trust your team, and open yourself to outside help: When crisis hits, CISOs can often fall into a responsibility trap, trying to do too much on their own.”A lot of times, the CISO might feel the pressure that they need to handle everything. ‘Oh, this is what I’ve been hired for. I need to be the one resolving this,’” Crowley says.Although every company varies in its cybersecurity resourcing, few organizations can handle incidents entirely in-house. CISOs must be humble enough to know when to seek external help.”In retrospect, if you’re going through a cyberattack, nobody’s going to care if you save some money by not bringing in external counsel or external incident response if that would have saved your company,” he says. Create social capital across the company: Trend Micro’s Ngui says engaging employees during a cyberattack requires using language appropriate for the audience at hand. According to Ngui, CISOs and technical leaders often speak in jargon that is difficult for the rest of the organization to understand. Security leaders should instead develop a common vocabulary aimed at a layperson to ensure employees understand the situation and their roles in responding to it.”It is essential for the technical team to cultivate the ability to convey intricate security incidents in terms of clear, actionable business impacts. This skill enables executives and other stakeholders to understand the situation fully and make informed decisions,” he says.Engaging with stakeholders is easier when you already have built rapport with them. New Relic’s Gutierrez says this is essential because the cybersecurity team will be experts in incident response but may lack knowledge in other critical areas. “They’re not always experts at specific parts of a company’s infrastructure or products or services. And that’s where we need the skills and knowledge that our partners across the company have to assist with,” Gutierrez says.To address this gap, Gutierrez recommends building relationships with colleagues across the organization, such as marketing, sales, and finance. At New Relic, the incident response team has leaned heavily into its relationship with engineering, which has assisted with data analysis to understand issues when incidents have transpired.”Having that pre-established relationship made it very easy to get things done. There was no questioning. They understood. There wasn’t very much pushback. It was easy to get people’s time and skilled efforts,” Gutierrez says.eSentire’s Crowley advises CISOs to use specific channels to create rapport with different stakeholders, such as biannual security updates to connect with the board of directors. Crowley believes these connections create goodwill and crucial understanding that will go a long way toward ensuring collaboration and support during a cybersecurity incident.”When there is a crisis, they know you; you know them. You know the best way to communicate with them and the questions they’re going to ask, and you’ve already established that you are the person in charge,” he says. “They don’t have to be worried.” Take accountability through action: Sakshi Grover, senior research manager for IDC Asia, advises organizations facing a cyberattack to avoid the blame game. Instead, CISOs should take ownership and move forward with leading the response. “People usually want to see a senior face come and take accountability,” she says.Adriyan Pavlykevych, CISO at SoftServe, shares this belief and offers an example. A ransomware attack struck the software development and consulting company after a successful phishing attempt on an associate. The threat actor moved laterally, compromising administrative accounts before encrypting virtual machines.Because the attack affected customers, Pavlykevych met right away with their infosec teams, providing ongoing briefs on progress, incident investigation, and recovery “to ensure transparency and accountability,” an essential part of SoftServe’s cybersecurity ethos, Pavlykevych says, noting that this approach strengthens trust with stakeholders.After the ransomware attack, SoftServe reviewed and audited its security controls, which eventually led to an improved approach to file storage and sharing of personal and client data, as well as security and privacy awareness workshops for associates. Addressing the underlying issues that led to the breach and enabled it to advance is vital, but not through finger-pointing.IDC’s Grover says that despite the CISO’s best efforts, there will still be reputational harm from a cybersecurity incident. Rebuilding trust after a cyberattack can be challenging but is essential.”If you take all the right steps in the right direction, you can reverse this brand image,” Grover says, adding that CISOs may want to consider the expertise of a PR agency or consulting firm to assist with this task.CISOs should also give special consideration to communicating with the board, which may influence high-level cybersecurity investments in products or services that may reduce exposure to future attacks, she says.”Go to the board. You clearly outline why: What was the cause of the breach? What are [your] lessons learned? You accept the responsibility, and then you slowly move towards regaining your credibility as well,” she says.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3846318/6-hard-earned-tips-for-leading-through-a-cyberattack-from-csos-whove-been-there.html
