teissTalk: Managing your board during a significant cyber-incident

Views on news

 

Data breaches and other security incidents tend to stretch the nerves of everyone, from teams trying to fix the issue to key stakeholders. They can all experience a wide range of feelings, including denial in the first moments, followed by sheer panic, anger, anxiety, and sometimes guilt. 

 

C-level executives and board members tend to become edgy, putting pressure on technology professionals to solve the issue fast. When the Board hears of the news of a breach, they will go through the 5 stages of cyber grief, therefore preparing for dealing with these emotional stages should be part of the managerial response. Striking the right balance between a level-headed response and compassion is also key, though. During a breach, a CISO’s task is to connect the technological and the emotional response to an incident including communication with senior managers and the board and separating the IR team from emotions that can impact their work negatively.

 

Good leadership is also a vitals component of a successful incident response, which isn’t just about processes being in place but also about mutual trust that should be built up over time.

 

One way to avoid blame culture is to have the board’s support for cyber security, not just in terms of a budget but also a genuine commitment.

 

To achieve this, security professionals need to translate cyber risk into business risk. There are different models for that, such as the Factor Analysis of Information Risk (FAIRTM), the only international standard quantitative model for information security and operational risk.

 

How CISO’s can get the board’s buy-in

 

It’s also the CISO’s responsibility to become a cyber psychologist and calm down the board and other stakeholders, so they can deal with the breach sensibly.

 

To ensure that the board lets security and legal professionals do what they need to, rather than micro-manage them, agreement has to be reached previously on a number of deliverables including table-top exercises and demonstrating that the cyber security team is spot-on regarding the types of attacks that the business is likely to be targeted with and their ability to deal with them.

 

You can make security awareness fun and involve the board and executives in cyber security quizzes with a leader board, etc. or recommending them books and films that deal with cybersecurity. Another, slightly riskier approach to raise the board’s awareness is to inform them about the size of their digital footprint. A breach happening doesn’t necessarily put an end to a CISO’s career provided they can demonstrate that they’ve laid the groundwork for dealing with a potential incident - they may even get promoted following a successful response!

 

But with attack vectors, ecosystems and regulations changing all the time, security has to be an ongoing process and CISOs can never sit on their laurels. As a CISO, you should bring more to the table than just security matters. Knowing a lot about the ins and outs of the business will make you more trustworthy in the eye of the board than someone with a niche security expertise.

 

The panel’s advice

 

Have a documented plan of what you’re going to do in the event of a cyber-attack covering both the technical and the organisational side – who you invite to the war room, who you need to contact, how you inform regulators, who is dealing with your communication plan, how you communicate to employees that the system is down.

 

Try and build a relationship of trust with your board.

 

To make the most of table-top exercises, don’t try to accomplish everything in a single exercise. Train, for example, board members to deal with the business aspects of a breach.  

 

Become the department of Yes but in a controlled manner.

 

As a legal expert, avoid giving cookie cutter advice.

 

To learn more about  Mathieu’s book, click here mathieugorge.com/book/

 

Watch it on-demand here.