Preventing confidential information leaking into the wrong hands has become high priority for every big company in the past decade. Millions of dollars have been spent on teams and technology to manage the risks, and billions more will be spent in the years to come. Information “breaches” have never been more costly to companies, or difficult to prevent.
But despite all the spending, many companies still struggle with fundamental issues, such as how to put their crisis management plan into action when the worst does happen.
Firms can often become paralyzed by poor communication between different teams – especially those in different functions (information security teams that are part of the IT function and data privacy teams that are part of the corporate compliance function, for example) – a failure to manage the demands on the time of information security staff, or a struggle to respond to unanticipated developments in what is almost always a fast-moving crisis.
Information security staff play a critical role in resolving all these problems. It helps to understand three typical points where cyber crisis responses break down, as well as four ways to prepare a company for the almost inevitable cyber crisis it will face.
Cyber Crisis Responses are Hard to Get Right
Companies often hit three major problems during cyber crises.
Poor coordination between those involved in managing the crisis: Senior line managers whose area of the business has been affected by the crisis will not only stressed but will use quite different terminology to information security staff.
They will also likely have a conflicting understanding of roles and responsibilities, and use ad hoc communication lines — all of which inhibit crisis management decision making.
Difficulty managing demand on the information security function: Demand placed on security staff during cyber crises – ranging from colleagues in the line asking for help to an incident that suddenly becomes larger and more complex — stymies the information security team’s ability to implement its incident response plan.
Inability to adapt to unanticipated developments: Line managers and senior executives involved in the crisis often use a narrow understanding of “cyber crisis” to build a response plan that reinforces poor assumptions and diminishes the information security team’s ability to react quickly to unanticipated developments.
Four Ways to Prepare Your Organization for Cyber Crises
While information security teams are not (nor should be) equipped to own all aspects of cyber crisis management, they have unique expertise and often a mandate to improve the company’s preparedness for cyber crises. They can do so in four steps.
Use trigger points to detect cyber crises earlier: Information Security often has limited visibility of the events that could lead to a cyber crisis, such as HR investigations, procurement issues, media requests for comment, or customer service questions.
To help, information security teams should define and distribute typical cyber crisis “trigger points” — a series of easy-to-interpret statements that, if found to be true by anyone in the organization, trigger an enterprise-wide response (see chart 1 for examples).
Chart 1: Defining cyber crisis trigger points Source: CEB analysis
Formalize roles and responsibilities for crisis management participants: Managing cyber crises is a team sport that requires coordination across participants throughout the organization. When individual roles and responsibilities are unclear this coordination breaks down, and can slow decision making.
To address this, document individual roles and responsibilities across crisis management participants and then formalize these decisions by communicating them to senior leadership and even the board.
Document “tribal knowledge” to improve security’s response: Fast, effective responses to cyber crises require a lot of detailed knowledge, much of which resides with individuals on the information security team.
Unfortunately, when these individuals leave the organization or change roles, this knowledge is lost and has to be relearned or tracked down — more often than during a crisis. Centrally documenting Information Security’s tribal knowledge helps everyone access important knowledge quickly.
Develop cyber crisis testing scenarios that challenge assumptions: When done well, enterprise-wide cyber crisis testing improves a company’s preparedness through hands-on practice. But without Information Security’s leadership and expertise, organizations may create simplistic testing scenarios that reinforce poor assumptions.
Instead, Information Security should craft testing scenarios that challenge participants to navigate tough, ambiguous situations and that expose gaps in the response plan that need remediation. In this way, Information Security can ensure testing actually produces improvements senior management seeks.
Chart 2: Identifying gaps in the response plan Illustrative Source: CEB analysis