At some point, your organization is likely to encounter a crisis situation. As CEO of a cybersecurity company, I work with many organizations responding to security crises, such as breaches or disclosure of security issues in their products. How companies respond to these situations can make or break their reputation and customers’ trust in the organization, and impact the cost of the incident. This is also true for non-security-related incidents.
As board members, you can support—or even mandate—a response that will see your business weather the storm as well as could be hoped. Nobody likes to think about worst-case scenarios, but as board members you must hold the organization accountable for doing just that to ensure it is prepared in case disaster strikes.
My seven steps to minimizing fallout through crisis response are as follows:
1. Determine your guiding principle. Before you begin planning for, or responding to, a crisis, determine the overarching goal or guiding principle that drives decision-making throughout the organization’s response. This should be a principle that has been articulated in advance and is well understood by all stakeholders.
Guiding principles can vary greatly, and could include: protecting users, investors, or employees; minimizing disruption or cost to the business; or demonstrating leadership in your community. Spend time with the executive team and other key leaders in your organization to determine what makes the most sense for your business. Be sure to discuss the risks, benefits, requirements, and payoffs of various approaches.
2. Preparation is key. Next, identify a handful of crisis scenarios that could affect your business, and to determine which key players will drive the response. This will likely change from scenario to scenario. Once you know your scenarios and stakeholders, assign an owner to build response plans. These plans should include basic workflows for every scenario and a detailed matrix of roles and responsibilities for all stakeholders. The owner should work through the processes and expectations to ensure that everyone understands their role, and what their teammates will need throughout the process.
As a board member, you can support this by asking:
Do we have an up-to-date incident or crisis response plan for the organization? What scenarios are covered? Are there applicable scenarios that have not been included?
Who was involved in creating, reviewing, and approving the plan? Do all stakeholders understand what is expected of them?
What assets most need protecting to ensure effective business continuity?
3. Practice makes perfect. There is no such thing as perfect when it comes to crisis management, but ensuring that your organization’s response plan has been practiced will help you identify potential kinks in the process before they become significant issues. It will also help your cross-functional team build trust and better understand each other’s processes and needs.
As a board member, you can support this by asking:
When was the last time we ran a drill for our crisis response process?
What points were identified as improvement areas in our last crisis drill?
How frequently does our response team run drills or tabletop exercises?
How many different scenarios have been walked through?
4. Build trust among core stakeholders now. If you have followed steps 1 through 3, then you know who your core team is for a variety of scenarios. Depending on the size and complexity of your organization, the key stakeholders may not know each other well and may have minimal experience working together. A crisis is an incredibly challenging time to begin building relationships and trust.
Encourage your crisis response leaders to get to know each other sooner than later, possibly through presenting the crisis response plan to the board. When presenting, ask them to demonstrate familiarity with each other and their alignment. For example:
Ask them to explain each other’s role and goals through a given crisis response scenario.
Ask how they collectively judge the success of a crisis response.
Ask them to explain what they need from each other and the board or leadership team, and what they will provide themselves.
5. Set clear expectations. As much as the crisis response leaders need to build a plan and determine workflows for crisis scenarios, the board should also establish clear expectations and share them in advance. Bear in mind that your role is to help, not hinder, the organization’s ability to respond to a crisis, so whatever expectations you set with the crisis leaders or executive team should be as minimal or efficient as possible.
Consider the following:
When do you want to be informed of a potential crisis situation? For example, when it’s first discovered? Once it’s been verified? Once it’s resolved? Are there any industry-specific regulatory requirements for the timing of reporting on a crisis?
How do you want to be informed? Do you want communication to be over email, or should everyone get together for a call?
Are there categories of incident severity that trigger different responses? For example, will there be situations that you don’t need to know about, some that can just be included in the regular board reporting, and others that warrant dedicated communication?
6. Glide like a swan. As board members, you are no doubt adept at maintaining a professional demeanor in the face of stressful situations. Never is this more vital than during a crisis response. You need to set a tone for the executive team and crisis response team. If you get heated or upset, that will likely perpetuate the same behavior, and a lack of calm generally encourages mistakes to be made and people to become less effective.
Similarly, a lack of calm among responders and executives will likely reveal itself to others, whether inside or outside the organization. This may result in speculation that does more harm to employee or customer morale, or to stock price, than the incident itself. Avoid being the cause of additional stress for those managing the response, and keep in mind point 5 above. It’s fine to want to be kept informed, but take care not to distract or further stress out the core team.
7. Capture learnings and avoid blame. When responding to a crisis, it’s important to enable people to be honest about what happened, what could have or should have been done differently, and what lessons and next steps can be taken away. If everyone is worried they will be fired or publicly blamed, they will be less likely to be honest about what happened. As such, it’s essential during the crisis response that you avoid recriminations and blame.
After the incident has been resolved, ask the crisis response leaders to present key learnings to the board, including what action will be taken to ensure the scenario is unlikely to occur again. At this time, it may be appropriate to discuss accountability; this should be handled privately and with sensitivity.
As board members, you typically will not be on the front line of a crisis response. However, you can still influence its outcomes by encouraging preparation, ensuring alignment, and supporting an open, calm, and blame-free approach. This will enable your organization to put their best foot forward, and hopefully weather crises in the best possible way.
Corey E. Thomas is CEO of Rapid7. Read more of his insights here.
Information security should be one of the most important risk areas of focus for boards. However, according to the 2017–2018 NACD Public Company Governance Survey, 88 percent of surveyed directors indicated that they had only some or little knowledge about how to navigate cyber risk. It’s clear that too few directors feel qualified to have this conversation in any degree of depth.
When I joined Amazon.com in 1998, Jeff Bezos, the company’s CEO and chair, viewed security as the most threatening, potentially company-ending risk that the company faced. Since then, many companies have elevated security risk to their technology, the infrastructure on which they depend, as the greatest existential threat to their enterprise. Yet boards struggle to quantify these risks, to determine their tolerance for security risks, and to assess the company’s security program.
In their discussions of security risk, security leaders and board members are constrained by time, frame of reference, shared vocabulary, experience, and understanding of the adversary. Board members could use some help.
I propose ten simple questions that could enable discussion, provide board members with a lens through which they can broadly view the company’s security program and posture, and prompt security leaders to build a shared understanding of the company’s risk profile, threat landscape, and most important security initiatives.
1. Who is in charge?
It is critical for the board to identify the most senior information security leader in the company. This should be a person explicitly designated to lead the program, with the requisite skills, resources, and authority to execute it. This person commonly goes by a title such as chief information security officer (CISO), chief security officer, or head of security, among other titles. Sometimes, companies will take a tiered approach to security. In such cases, the leader of the security team plays a pivotal role, and the board needs to be comfortable that their position and authority is consistent with the importance that the board places on security.
If you identify someone who has security as one responsibility among a portfolio of others, it’s necessary to determine who has single-threaded focus on information security. Once that person is identified, you can discuss whether they have the proper ownership and resources to go with the responsibility, their reporting chain, the support that they receive from the rest of the company, and their relationship with the board. Regardless of who they directly report to, this person should be accountable to the board.
2. How do we assess risk?
Security is about risk management. It’s critical for directors to understand the process of identifying and analyzing security risks, how their likelihood and impact are estimated, how the appropriate controls are prioritized and implemented, how their efficacy is tested, and how results are monitored. Some potential security events are low probability and extremely high impact, making it more difficult to compare them to other risks. Nevertheless, it’s critical to go through the exercise of determining risk appetite, assessing and qualifying risk, quantifying overall exposure, and placing it within the company’s overall risk management framework. Finally, it’s important to be candid about your confidence in the risk assessment.
3. Are we focused on attacks?
It’s important to focus on managing the most critical threats and on breaking the attack kill chain—the structure of an intrusion—rather than to engage in “security theater,” or activities that give the appearance of competence while lacking in substance. Budgets are limited and security talent is in very short supply, so resources should be focused on establishing an architecture that has sufficient defense in depth, resilience, and intelligence to survive modern attack types.
Traditional approaches to defensive security that were dependent on protecting the perimeter of the enterprise continue to prove insufficient. Today, defenders must understand the adversary’s attack mechanisms, work backwards from the path of the attack, layer defensive measures throughout the enterprise, intervene before the attacker can extract sensitive data, and teach employees and customers to play their crucial part.
4. What’s our most important asset?
This question shouldn’t take long to answer. It should drive a discussion between the board and the security leader about how data and services are classified, the policies that are established for their defense, and the required and recommended controls for each class. When a new service is established, this classification framework in combination with the new service’s threat model should make it relatively easy to decide who is responsible for mitigating threats and what controls should be put in place.
When asked to rank their biggest cybersecurity fears, 41 percent of directors said they are most worried about brand damage. While customer trust is the key asset in many businesses, it’s important to identify the specifics of what would be the most devastating loss for the company. It’s only then that a thorough, qualitative assessment of the most critical components of the security program can occur.
5. How do we protect our most important asset?
Board members can calibrate the overall risk profile of a security program once they understand how the most precious asset is protected. The answer to this question should discuss the high-level threat model for that most important asset and, in the context of modern attack patterns, the mechanisms used to defend it. The answer should reflect that this is a journey on terrain that is shifting. There should be an iterative process of quantifying the risks of different threats, and of mitigating the most significant ones.
6. What’s our biggest threat?
This question forms the heartbeat of the conversation between the board and the security leader. It provides an opportunity to describe the company’s current security posture and its target state, and to refresh the board on the evolving threat landscape, the lessons to learn from emerging attacks, and the measures that the company is taking to mitigate the threats. For many companies, security risk is sufficiently important to warrant a discuss of this question at every board meeting, perhaps with a summary of the threat models for any major new products or services, and a review of the most significant risks at any recently acquired companies. When board members hear grandiose plans to address the biggest threat, but the deliverables are more than 18 months away, they may wish to ask for approaches to improve today’s posture without necessarily derailing the long-term solution. Don’t make the perfect the enemy of the good.
7. What do we control?
The board should assess the degree to which the company’s security policy and practices are explicit and prescriptive. Board members should be very suspicious of a security leader who claims to have complete control of the technology platform and the tools that employees use. Full control is usually a dangerous illusion, and any autocratic attempt to achieve it can lead to inflexibility and to employees working against or around the security program. Security should be viewed as a collective responsibility, rather than as a fixed constraint. Boards spend time assessing internal controls that for example provide confidence in custody over sensitive data and in the accuracy of financial reporting. Effective security leaders will distinguish between controls and control, and will strive towards “getting to ‘yes,’” rather than being the one who always says no. Getting to yes is easier if employees buy into a decision and if the path of least resistance is for them to do the right thing by default.
8. Are incident response and recovery plans tested?
This is one of those questions to which the answer can be “no” at most once. In the common case this question will lead to a review of responses and recovery from real incidents, in addition to a summary of simulated attack exercises, consideration of the fidelity of such exercises, and lessons learned. It provides the board with a view of the company’s capabilities in communication, response planning, incident analysis, risk mitigation under duress, and leadership.
9. Would we know if we’d been compromised?
Security technology vendors may tout breakthroughs that provide the ability to identify and prevent attempted compromises with perfect precision and recall. An effective conversation between a security leader and a board will take as a given that all attacks can’t be identified and prevented, and that compromises may already lurk undetected. This should lead to a discussion of actions to make prevention as strong as possible, to improve the probability of detecting lurking intruders, and to reduce the likelihood that they reach critical assets and extract them.
In a world where the edge of the company’s technology footprint is increasingly blurred, where the sophistication of attacks outpaces security awareness, and where advanced persistent threats are used by adversaries, it’s inevitable that the answer to this question will be nuanced.
10. Who would be told, and how do we expect them to respond?
Communication is a key part of a successful incident response plan. Each person, including the board, needs to know his or her role in communicating about incidents internally and externally. The question goes beyond incident handling to include recovery processes and the proactive management of any reputation impact that may arise from the incident.
As a board member, it’s worth thinking about two questions that I used back in 1998 to get Bezos thinking about his role in incident response:
In the event of a high-severity security incident, do you think you’d be told?
Would you like to be told?
Response and recovery go hand in hand. It’s tempting to avoid putting significant effort into planning for recovery from a major security incident, and while everyone would prefer to focus on prevention efforts with a goal of zero incidents, the reality is that there’s no such thing as perfect security. The recovery plan is part of responding to the incident, learning from it, managing communications, and getting the company back in business. A well-executed recovery plan has the potential to limit the reputation damage caused by the event, and to help management and other stakeholders to move beyond it.
Finally, a bonus credit question: Do you have the team and the budget that you need to be successful in managing the company’s security risk?
These 10 questions are a starting point for a longer conversation. Directors and the security leader should regularly employee a more thorough framework, such as the NIST Framework for Improving Critical Infrastructure Cybersecurity, to begin building a deeper understanding of their company’s security posture. While the NIST framework goes to considerably more depth, these 10 questions are intended to get to the essence of what is most important for a board to periodically review.
Tom Killalea (@tomk_) is a director of Capital One Financial Corp., MongoDB, Carbon Black, and Orreco. From 1998–2014 he served in various leadership roles at Amazon.com, including vice president of technology and CISO. All opinions expressed here are his own.
It’s way too early to make any judgments on board conduct in the Equifax controversy. That’ll be for the courts to decide, and they’ll take a long time getting there. But it’s not too early to draw some useful governance lessons from the situation, if media reports are to be believed. And these are lessons that apply regardless of whether the board serves a publicly held, privately owned or nonprofit corporation.
Some of these lessons relate to the board’s crisis management responsibilities. Others relate to the oversight of the board-CEO relationship. Still others invoke expectations of board cybersecurity oversight.
All of the possible lessons are premised on the increasing recognition of the inevitably of crisis, be it black swan or foreseeable, cybersecurity-related or “from out of left field.” For most complex enterprises, crises are just going to happen. The only questions are when, how big the crisis will be, and from what direction it will come. The most prescient of boards will embrace this inevitably and prepare for a corporate governance version of Defcon 3.
The other lessons are more practical in nature.
1. Emergency Succession The swiftness of Mr. Smith’s removal speaks to the “nuts and bolts” value of having an emergency executive succession plan. The sudden Smith transition is a shocking example of how emergency succession applies to circumstances beyond customary triggers such as death, health care and family considerations. In today’s crisis-oriented environment, the need to separate from, and replace even the youngest, seasoned and most successful executives can arise at a moment’s notice.
Succession is a part of the board’s basic responsibilities that often gets lost amid the confluence of best practices and consultant messaging. Such planning can be complicated. According to the New York Times, the Equifax board regarded many of its original replacement candidates as “tainted” by ties to the cyber breach—including some executives who are believed to have sold company stock after the breach was discovered but before it was disclosed to the public.
2. Structuring the Separation There’s also the need to anticipate both the classification and the financial terms of executive separation in the context of a crisis environment. According to media reports, Mr. Smith’s separation was described as a retirement. Yet, the board announced that it was reserving the right to retroactively classify the separation as for-cause termination, based upon the ultimate findings of a board special committee charged with the responsibility for reviewing the data breach. Such a reclassification would have obvious and material implications for Mr. Smith’s compensation arrangements, including valuable stock awards.
This action by the Equifax board reflects several key realities of the crisis environment.
It will often be difficult to fairly ascertain the presence of cause for termination purposes in the direct aftermath of a crisis. The consideration of the results of an internal investigation may be a necessary and equitable precondition.
While not yet considered best practice, the use of clawbacks and other forms of executive compensation disgorgement arrangements is increasingly viewed as an effective response to executive fraud, malfeasance, or other misconduct. Clawback application has most recently been demonstrated by the actions of a financial services company board in response to a significant corporate controversy.
Boards must face the harsh reality of the need to impose separation in advance of intense scrutiny by the media, regulators, and possibly even legislators. The sometimes corporate brutality of “throwing executives under the bus” may be perceived as both part of an effective board response (i.e., to demonstrate board accountability), and necessary to preserve the reputation of the company and the interests of its stakeholders. According to the Wall Street Journal, the departures of the Equifax information officer and chief security officer were not considered by the board to be actions significant enough in stature. Thus, the concept of “strict accountability” for executives in the context of major corporate controversies may increasingly be considered an indirect part of the compact between the board and management.
3. The Standard of Conduct Another lesson is for the board to reconsider the effectiveness of its own cybersecurity oversight efforts. The leading judicial decisions have to date established a high Caremark-style barrier for demonstrating breach of cybersecurity oversight responsibilities. Notable in this regard was the decision of the court in the Home Depot case to extend the protection of the business judgment rule to the board’s conduct, despite its clearly expressed concerns about the speed with which the board implemented protective measures.
However, boards should not place unreasonable reliance on Caremark protection. As instances of cyberbreaches become more egregious, it is reasonable to project a stricter approach to director liability in future cases.
4. The Self-Critique Perhaps the most basic governance lesson from Equifax is the need for board self-evaluation. Any board-driven internal investigation of a corporate controversy will benefit from consideration of the adequacy of the full board’s related oversight efforts. For example, the Wall Street Journal reported that weaknesses in Equifax’s cybersecurity measures were “apparent to outside observers in the months before the hack.” Was the board made aware of these weaknesses? If not, why not? Such a self-critique has been an accepted component of truly comprehensive internal investigations since the “Powers Report” from the Enron board. The willingness to consider how possible governance inadequacies may have contributed to crises can serve as a powerful demonstration of the board’s good faith and assumption of ultimate responsibility.
Equifax is not, as some have characterized it, the second coming of Enron. That’s unnecessary hyperbole at this point. As exaggerated as commentary may be, what is known about the crisis offers a valuable teaching moment to boards about expectations of fiduciary conduct in crisis situations, cybersecurity or otherwise.
Michael W. Peregrine, a partner in McDermott Will & Emery, advises corporations, officers and directors on matters relating to corporate governance, fiduciary duties and officer/director liability issues. His views are his own and do not necessarily reflect the views of McDermott Will & Emery, its clients, or NACD.