There is an extraordinary amount of money and time spent on detection and response relative to cybersecurity, and much of this conversation is technology focused. In this series of articles, DocuSign CISO Vanessa Pegueros explores a different aspect of incident response — the human being. She asserts that people ultimately orchestrate incident response and the care and development of employees should be at least as important as the development of technology, and she offers items to consider relative to developing the human elements of incident response.
Part Four – The Board’s Role in Preventing Level-One Response
As I mentioned in article one of this four-part series, the typical response to a security threat, incident or breach is the Four D’s: Denial, Damage Control, Defend and Deflect.
I contend that executives/board members are not immune to this response and may in fact be operating at a Level One response (reptilian response mode) when the company encounters a crisis situation. In this final article, I will explore the impact of a breach on Executives/Board members and offer recommendations for CISOs/CIOs who communicate with them.
In the current environment of cyber threats and corresponding breaches, a common response at the executive-level is a knee-jerk reaction to terminate the highest-ranking executive anointed to “take the fall.” With any high-profile breach, tension lurks while anticipating when the CISO/CIO or another executive is going to “quietly disappear.”
Sometimes it is not such a quiet exit, as in the cases of Sony and Target. “In a Feb. 12, 2015 article from the Huffington Post, Amy Pascal, former CEO of Sony, openly admitted that she was fired as a direct result of the December 2014 breach.” (http://www.csoonline.com/article/3040982/security/data-breaches-often-result-in-ceo-firing.html?page=2)
While dismissing an executive is possibly warranted, I don’t believe enough consideration is given to the grave impact this can have on an organization and the trauma it introduces. Employees now have the stress of responding to a security incident as well as worrying about their own job security.
Additionally, the aftermath promotes a heightened fear of making mistakes, which leads to stifled innovation and over-reliance on doing things the way they have always been done. This quite possibly is the perfect formula for another breach.
Another reactive response is to hastily throw money at technology in order to solve perceived problems. But looking at technology in a vacuum without first addressing people and process issues is fiscally irresponsible. Instead, new security tools should be the very last action taken, and should be thoroughly vetted prior to purchase.
Furthermore, when it comes to security tools, organizations tend to transfer blame to the vendors and the perceived failure of their tools. In my experience, failure occurs with how the tools are implemented, rather than with the tools themselves.
I believe Executives and Board members should have training to understand how their own responses to security incidents and breaches systemically affect the organization. These are opportunities for leaders to truly promote a calm response that promotes organizational learning and resilience. With a more proactive approach, the Executive team and Board can govern risks more effectively.
As noted in a Forbes article: “Many times CEOs and their C-level reports are frustrated because of the lack of appropriate training for them to determine, at the executive level, what the real risk to their company is. They don’t want to get into the technical details of what the Heartbleed bug does, for example, but they do want to be able to quantify in their mind what their risk is.”
One of the most critical things leaders can do when a security incident or breach occurs is to promote organizational learning and continuous improvement. In the case of the TalkTalk breach, the CEO was clearly expressing a desire to learn from the incident.
“Harding (TalkTalk CEO) noted: “In some ways I would love to say this is just a TalkTalk issue, I’d love to believe this is just us – but it isn’t. Do I wish I’d done more? Of course, I do. But would that have made a difference? If I’m honest, I don’t know.”
In my opinion, after the incident is contained and properly communicated, the next critical step is to conduct a “lessons learned” exercise at the board level with all key leadership. The exercise should focus on the organizational process and communication improvements that must be implemented moving forward.
At a minimum, the exercise should cover:
- Risk management process and the reporting around that process – were the security risks properly communicated to the executives and the board?
- Vulnerability management process – did the organization support the timely resolution of critical vulnerabilities, and were they effectively communicated to the organization?
- SDLC process – was security properly addressed in the development process?
- Incident response process – did the organization respond in a manner that minimized the impact to the organization?
- Third party supplier management process – did the organization understand the data residing with their suppliers and how it was protected?
- Communication plan – did the organization follow a clear communication plan and were there opportunities for improvement?
- Security technology strategy – what gaps in the tool set contributed to the breach, what is the tools rationalization process, and are existing vendors delivering as committed?
From this board-level “lessons learned” exercise, leadership can create a program to make improvements across the organization. I would argue that the leadership team best positioned to implement this program is the one that was at the helm when the incident/breach occurred. Accountable people become completely invested in bringing about successful resolution when they realize they were on point when the incident occurred.
Therefore, I believe that terminating leadership because of a breach is an ineffective and counterproductive response, often contributing to an organization operating long term at the first level of reptilian response.
What organizations need most are passionate and accountable people who understand the environment and can lead the effort of organizational learning and improvements, especially in times of a crisis.
In conclusion of the 4 part series:
- Automation is needed to move our security teams out of level 1 response
- Integration and ongoing practice of the incident response process are critical to creating the organizational muscle memory needed for efficient incident response
- A clear and predefined communication plan enables the effective execution of process
- The Board and Executive management should lead the way toward a culture of resilience and organizational learning