Does your organization have a stated cybersecurity crisis management (CCM) strategy? If you said “no,” then by implication your actual strategy is to rely on your team’s experiential-based gut instincts. If your strategy is primarily focused on working diligently to avoid a crisis to begin with (a very seductive approach), then you have the same strategy — the best gut reactions your team can manage once you’re in the midst of a crisis.
A CCM plan follows naturally from CCM strategy. This article is not about the details or even the components of a good CCM plan (the who, what, when, where, how), but rather about the components involved with a CCM strategy (mostly why). There are many similar lists all over the internet, if you don’t like this one or some parts of this one, adjust it to suit your needs; just make sure you take the time to think about CCM and create a strategy.
- Be prepared to need CCM competence
- Have a CCM plan
- Pre-identify the CCM team
- Speak with one voice
- Update often
- Appoint someone to deliberately ignore the crisis
- Continually improve the CCM plan
Be prepared to need CCM competence
You need to be mentally prepared, emotionally prepared, and practiced — because some day you’re going to be in a cybersecurity crisis and that’s not the moment you want to start trying to figure out what to do.
Mentally you need to understand that a cybersecurity crisis is not just an “IT issue.” This is a much easier sell these days, but there are still some hold-outs. Whether you’re in the C-Suite or the mail room, a cybersecurity crisis has pervasive effects, and everyone needs to care.
If you’re working anywhere in IT or in an organizational leadership position, you need to be emotionally prepared to one day be punched in the gut by a cybersecurity crisis. You’ll work hard to avoid it, but more likely than not, one day the bear’s going to catch you off guard and that’s not the time for hand wringing and wondering how it happened (that can come later). Being mentally prepared will allow you to smoothly and quickly transition to the necessary practical steps needed to stop the problem and begin recovery.
Commitment to the idea of practicing required actions during a cybersecurity crisis is essential. Coach Bobby Knight makes the idea clear, “The key is not the will to win… everybody has that. It is the will to prepare to win that is important.” Being mentally and emotionally prepared are important, but you must commit to practicing.
Have a CCM plan
This sounds obvious; and it is; or should be. However, there are many people who know they need a will and yet do not have one. The analogy is a bit strained, but the truth remains — knowing you should have a plan is not enough. You must actually make the plan.
Pre-identify the CCM team
Walking onto the hardwood for a big game is not the time to begin picking teams. It’s no different with a cybersecurity crisis. When the moment arrives, select personnel should already know that they will be the ones called upon to work primarily on resolving the crisis.
Speak with one voice
Tying in with the previous point, one person needs to be pre-identified as the overall leader of the CCM effort. They need to know ahead of time that if a crisis comes up, their job becomes full-time CCM. As well, you need to think through how the organization will speak one “truth” — one person addressing meetings, one file location for log entries, one authoritative email address to disseminate information, one authoritative twitter account, etc. The inclination of many will be to try and jump in to “help;” however, it should be clear from the beginning where authoritative updates come from.
No one likes to feel like they’re being left in the dark. You need to be prepared to over-communicate, because otherwise non-authoritative voices will fill the vacuum (often with speculation). Part of your plan should include a schedule for official summary communications. Even if you have nothing substantive to add at a regularly scheduled communication time; broadcast that fact — of course, don’t cram 6 words of information into a 100-word missive, if you have nothing new to say, say it quickly. And don’t speculate!
Appoint someone to deliberately ignore the crisis
David Copperfield once made the Statue of Liberty disappear. He did it by getting folks to so intently look one way, that they missed the fact that they were physically being moved. When a crisis hits, just like an auto accident, everyone is going to be tempted to look. Someone has to be directed not to — whether for reasons of maintaining normal primary operations, looking to see if someone is trying to “slip by” in the confusion, or just to guard against the old adage that “bad things come in threes.” Something not mentioned in the 96-page congressional report on Equifax’s major breach in 2017 is whether or not Equifax was affected in any way by the WannaCry ransomware attack. It may just be coincidental, but WannaCry kicked off on May 12, 2017 and Equifax was breached via the Apache Struts vulnerability on May 13th. That breach would stay active until July 30th and end up causing much more trouble for Equifax.
Continually improve CCM
After every crisis, ensure you take the time to conduct an after-action review, capture lessons learned, and update your CCM strategy and plan. Learning from others’ mistakes and crises is the best way. Have you assigned someone yet to read the 96-page congressional report on Equifax’s major 2017 breach?
CYR3CON provides cyber threat intelligence through advanced machine learning (ML) and data mining of deep-/dark-web information. We’re continuously on the lookout for threat-countering intel to help you minimize the likelihood of a cybersecurity crisis.