The current state of cybersecurity forces enterprises to accept the reality that crisis management is part of doing...
business. The challenge for enterprises is keeping pace with hacking exploits that seem unending and ever-evolving. Most enterprises mitigate the impact of such crises by deploying strong network protection technologies such as next-generation firewalls, intrusion detection/prevention systems, skilled outsourced or internal security resources and a strong computer security incident response team (CSIRT). But when a crisis does occur, the enterprise needs to be well-prepared to handle what otherwise could be embarrassing, impactful to the customer base and a possible loss of revenue or market share.
The CISO needs to establish a well-planned and tested incident response program. Effective crisis management requires more than an apologetic press release or a CEO's distinguished appearance on television. A company must take responsibility for its mistakes, but it must also be ready to do damage control and restore the company's name. This tip will provide the most important steps a CISO can take to create an effective crisis communications strategy.
Reputation risk is the possible loss resulting from damages to an enterprise's reputation. It could mean lost revenue, increased operational costs or diminishment of shareholder value for the company; in the case of the Target breach, it could also mean the dismissal of top executives. Although it is hard to quantify, no company wants to find out how accurate the estimate of loss is after a major crisis. The most obvious form of mitigation is well-thought-out preparation.
The importance of crisis management
Crisis management deals with how the company handles a major incident that harms it, its stakeholders or the general public. This process will include the critical component of public relations (PR). When is it necessary to include public relations or invoke crisis management? It is important to get the timing right because there are repercussions for crisis communications that are invoked too early or too late after an incident has occured. For example, an incident easily contained and readily remediated would render communications to the press unnecessary. Conversely, if the communication is delivered after the news of the incident has been disclosed by the media, it may further shed a bad light on the enterprise's awareness of the incident and its ability to issue a response in a timely manner.
Hacker objectives are pernicious, so even if the crisis was self-induced, PR responses need to be incisive. The responses should mitigate concerns of major financial losses or of marring the company's reputation. This can be accomplished by working with the company's PR and legal departments to ensure communications are handled professionally and competently. This is more likely to be successful if the CSIRT program is well-planned out and tested in controlled situations.
Have an honest, thought-out crisis communications strategy
Crisis communications must be honest, resolute and competent. If the communication is coy or equivocal, it will either be apparent during delivery of the message, or it will eventually become obvious and cause greater harm to the enterprise. In the event of a major crisis, the message the company communicates should state the incident has or is being contained, eradication measures have or are being deployed, and recovery processes are currently underway or have been completed to restore the company to a state of normalcy. It's important to state the enterprise is working with the proper government agencies or authorities to identify how the incident occurred and forensic experts have been engaged to ensure proper crisis management steps are being or have been taken. If it's possible, and if it's true, the company should communicate that existing protection measures lessened the actual damages inflicted, but that preventive measures are being strengthened based on lessons learned.
Designate a spokesperson
All employees with the organization need to be instructed that communication with the media is prohibited during the crisis management phase. A single spokesperson who is credible and confident should be the only one authorized to speak for the company. The spokesperson needs to be able to skillfully manage communications and restore shareholder confidence to employees and executive management alike. Internally, this task should be left to the CISO, but for external communications, the designated spokesperson should be the face of the company.
Six stages of a computer security incident response team plan
- Preparation: One of the most important facilities to a response plan is to know how to use it once it is in place.
- Identification: Identify whether or not an incident has occurred.
- Containment: Limit the scope and magnitude of the incident.
- Eradication: Remove the cause of the incident.
- Recovery: Restore a system to its normal business status.
- Follow-up: Some incidents require considerable time and effort.
For more on this subject, read about how to build a better incident response plan using the National Institute of Standards and Technology's guidelines.
Restitution to restore consumer confidence
Restitution goes a long way in restoring consumer or client confidence. Whatever restitution is selected, either by the company or a third party, it should be commensurate with the negative impact the incident has caused. It is important for the company to manage consumer or client perception. No one knows your customer base better than you. Select a restitution that will demonstrate the company's resolve to compensate any loss, damage or injury the customers might have experienced. Give your customers a reason to not only remain customers, but also to commend the company for restoring confidence.
A crisis will happen: Be prepared
This is an era of cybersecurity uncertainty. It is not a question of if a company will experience a crisis, but rather when one happens, can it competently deal with it? A company should incorporate a crisis management program into its CSIRT plan, develop real-life crisis scenarios, and perform tabletop tests to ensure everyone -- including executive management -- is prepared for and well-versed in its execution. Companies should integrate a security awareness program to include elements of crisis management and develop a strong crisis communications strategy. Then, they can rest assured that when a crisis does occur, they will not be caught off guard.
About the author:
Miguel (Mike) O. Villegas is vice president for K3DES LLC, a payment and technology-consulting firm. Mike has been a CISO for a large online retailer, partner for a "Big Four" consulting firm, VP of IT Risk Management, IT Audit Director for large commercial banks and owner of an information security professionals firm over a span of 30 years.
Find out how security tabletop exercises enable better security incident response
Ernie Hayden discusses the pros and cons of the evolution of the CISO role