At some point, your organization is likely to encounter a crisis situation. As CEO of a cybersecurity company, I work with many organizations responding to security crises, such as breaches or disclosure of security issues in their products. How companies respond to these situations can make or break their reputation and customers’ trust in the organization, and impact the cost of the incident. This is also true for non-security-related incidents.
As board members, you can support—or even mandate—a response that will see your business weather the storm as well as could be hoped. Nobody likes to think about worst-case scenarios, but as board members you must hold the organization accountable for doing just that to ensure it is prepared in case disaster strikes.
My seven steps to minimizing fallout through crisis response are as follows:
1. Determine your guiding principle. Before you begin planning for, or responding to, a crisis, determine the overarching goal or guiding principle that drives decision-making throughout the organization’s response. This should be a principle that has been articulated in advance and is well understood by all stakeholders.
Guiding principles can vary greatly, and could include: protecting users, investors, or employees; minimizing disruption or cost to the business; or demonstrating leadership in your community. Spend time with the executive team and other key leaders in your organization to determine what makes the most sense for your business. Be sure to discuss the risks, benefits, requirements, and payoffs of various approaches.
2. Preparation is key. Next, identify a handful of crisis scenarios that could affect your business, and to determine which key players will drive the response. This will likely change from scenario to scenario. Once you know your scenarios and stakeholders, assign an owner to build response plans. These plans should include basic workflows for every scenario and a detailed matrix of roles and responsibilities for all stakeholders. The owner should work through the processes and expectations to ensure that everyone understands their role, and what their teammates will need throughout the process.
As a board member, you can support this by asking:
Do we have an up-to-date incident or crisis response plan for the organization? What scenarios are covered? Are there applicable scenarios that have not been included?
Who was involved in creating, reviewing, and approving the plan? Do all stakeholders understand what is expected of them?
What assets most need protecting to ensure effective business continuity?
3. Practice makes perfect. There is no such thing as perfect when it comes to crisis management, but ensuring that your organization’s response plan has been practiced will help you identify potential kinks in the process before they become significant issues. It will also help your cross-functional team build trust and better understand each other’s processes and needs.
As a board member, you can support this by asking:
When was the last time we ran a drill for our crisis response process?
What points were identified as improvement areas in our last crisis drill?
How frequently does our response team run drills or tabletop exercises?
How many different scenarios have been walked through?
4. Build trust among core stakeholders now. If you have followed steps 1 through 3, then you know who your core team is for a variety of scenarios. Depending on the size and complexity of your organization, the key stakeholders may not know each other well and may have minimal experience working together. A crisis is an incredibly challenging time to begin building relationships and trust.
Encourage your crisis response leaders to get to know each other sooner than later, possibly through presenting the crisis response plan to the board. When presenting, ask them to demonstrate familiarity with each other and their alignment. For example:
Ask them to explain each other’s role and goals through a given crisis response scenario.
Ask how they collectively judge the success of a crisis response.
Ask them to explain what they need from each other and the board or leadership team, and what they will provide themselves.
5. Set clear expectations. As much as the crisis response leaders need to build a plan and determine workflows for crisis scenarios, the board should also establish clear expectations and share them in advance. Bear in mind that your role is to help, not hinder, the organization’s ability to respond to a crisis, so whatever expectations you set with the crisis leaders or executive team should be as minimal or efficient as possible.
Consider the following:
When do you want to be informed of a potential crisis situation? For example, when it’s first discovered? Once it’s been verified? Once it’s resolved? Are there any industry-specific regulatory requirements for the timing of reporting on a crisis?
How do you want to be informed? Do you want communication to be over email, or should everyone get together for a call?
Are there categories of incident severity that trigger different responses? For example, will there be situations that you don’t need to know about, some that can just be included in the regular board reporting, and others that warrant dedicated communication?
6. Glide like a swan. As board members, you are no doubt adept at maintaining a professional demeanor in the face of stressful situations. Never is this more vital than during a crisis response. You need to set a tone for the executive team and crisis response team. If you get heated or upset, that will likely perpetuate the same behavior, and a lack of calm generally encourages mistakes to be made and people to become less effective.
Similarly, a lack of calm among responders and executives will likely reveal itself to others, whether inside or outside the organization. This may result in speculation that does more harm to employee or customer morale, or to stock price, than the incident itself. Avoid being the cause of additional stress for those managing the response, and keep in mind point 5 above. It’s fine to want to be kept informed, but take care not to distract or further stress out the core team.
7. Capture learnings and avoid blame. When responding to a crisis, it’s important to enable people to be honest about what happened, what could have or should have been done differently, and what lessons and next steps can be taken away. If everyone is worried they will be fired or publicly blamed, they will be less likely to be honest about what happened. As such, it’s essential during the crisis response that you avoid recriminations and blame.
After the incident has been resolved, ask the crisis response leaders to present key learnings to the board, including what action will be taken to ensure the scenario is unlikely to occur again. At this time, it may be appropriate to discuss accountability; this should be handled privately and with sensitivity.
As board members, you typically will not be on the front line of a crisis response. However, you can still influence its outcomes by encouraging preparation, ensuring alignment, and supporting an open, calm, and blame-free approach. This will enable your organization to put their best foot forward, and hopefully weather crises in the best possible way.
Corey E. Thomas is CEO of Rapid7. Read more of his insights here.
As a society, we must address cyber-risks from every angle: every technology or Internet user must be educated so they can better secure themselves. As business leaders, we bear this responsibility not only for ourselves, but also for our teams, colleagues, and organizations.
To help get you started, here are some questions I recommend you ask your head of security. I also highly recommend that, regardless of your role on the board, you get to know your security team. Help them understand how board-level oversight of risks works, and meet them with an open, inquisitive mind so they can educate you on security concerns and implications.
1. Does the security team have a full, well-informed view of the organization’s security posture?
One of the most fundamental challenges organizations face when it comes to security is getting full visibility of the technology assets being used across the organization and their associated risks.
You can’t defend something if you don’t know that you have it. Finding that one key weakness that provides the perfect opportunity for an attacker can be like finding a needle in a haystack.
It can also be challenging for security professionals to cut through the noise in the security industry to focus on the most relevant core threats. Doing so will enable them to focus their time, resources, and investments in areas that will have maximum impact for your organization.
Here are some additional questions you can ask:
Which threats are most relevant to the company, and which assets are most vulnerable, and which are most likely to be targets? Ask the security team to explain their answers.
Does the security team share threat information with security teams at other organizations of a similar profile?
Does the security team have full visibility and control of our entire technology environment, including assets we lease rather than own? Does the team have a detailed inventory of key assets, who is using them and how, and what known risks relate to them?
Is the security team part of the procurement process for all technology products and services? Do they vet technology vendors on the security of their products or services? Do they investigate the vendor’s practices for reporting and patching vulnerabilities?
Does the security team know who has access to what applications and services? Have they locked access down as far as possible, so people only have the privileges needed to perform their day-to-day role?
2. Is our organization resilient to attack?
Companies are under attack daily, either from automated, internet-wide attacks, or from more targeted and determined attacks. It is important to ask your security team questions about the security measures they have in place to reduce the likelihood and impact of a breach. There is no such thing as a silver bullet or impenetrable force field that will perfectly protect your organization. The key is to ensure your organization is taking a multi-faceted, layered approach that leverages technology, people, processes, and policies together for maximum effect. Your security team should be focusing their limited resources on actions that most reduce the risk associated with the greatest threats to your organization.
Take this opportunity to have your head of security explain why they made the trade-offs they did, and how those decisions could impact the business. Make sure they are aligning their decision making with overall organizational goals, compliance requirements, and real technical risks.
Is all company and customer data encrypted at rest and in transit? If not, which data is being encrypted and when?
Has the security team segmented the company’s networks to reduce an attacker’s ability to move through the network and reach valuable assets?
Does your organization regularly back everything up to reduce susceptibility to ransomware attacks? Do you run regular backup and restore drills?
Do you know how susceptible our employees are to phishing? Are you investing in education programs to raise security awareness?
Do you have multi-factor authentication in place on all of our technical services and applications?
Does the organization have cyber insurance to help it recoup any costs of a security incident? Which scenarios or factors arenot covered by the insurance?
3. Is the security team confident it can detect and respond quickly to security incidents?
According to the 2017 M-Trends report, it takes an average of 99 days for organizations to discover attackers in their networks. The longer an attack goes undiscovered, the greater the likely harm will be, so it is critical that your organization is able to detect and respond to security incidents quickly. Full visibility across all technical assets, properly stored and analyzed logs, and sufficient manpower to investigate alerts in a timely manner are all essential ingredients for quickly detecting security incidents.
A properly coordinated response will likely involve representatives across the business, so it is important that your board and security team understand what roles each department plays in a response.
Some relevant questions include:
Does the security team map normal behavior (both for human users and machine entities) on the network? Are they able to detect anomalous behavior?
Is the security team able to investigate and verify alerts quickly? Do they have sufficient resources committed to monitoring systems that alert suspicious activity?
How quickly could the security team investigate a potential breach or determine which technology assets and users may have been compromised? Does the security team have sufficient visibility across all technical assets to investigate fully? Does the security team log any information that would be needed to investigate a security incident?
Does the company have an incident response plan in place, with roles clearly defined and understood across the organization (including legal, finance, communications, IT, customer support/engagement etc.)? When was the last time the company ran an exercise to test its preparedness and response? Who is responsible for driving this initiative in the organization?
4. How do you measure the effectiveness of our cybersecurity program and initiatives?
Testing and verifying the effectiveness of your security program and initiatives is part of many industry cybersecurity compliance requirements. It also a pragmatic measure that helps your organization understand where it needs to make investments, and how resilient it really is to attack. A key part of this review is engaging security professionals to penetrate the company’s infrastructure to test for vulnerabilities. This will help you understand the efficacy of your defenses, hopefully uncover the opportunities attackers may spot, and investigate the potential outcomes of an attack.
Some questions to ask your security team include:
Is the security team proud of the company’s patching program? Do they feel adequately supported by the IT team in their efforts?
Who is responsible in the organization for initiating testing of organization-wide breach readiness?
How frequently does the security team test the company’s defenses for effectiveness? Do they hire external security consultants to try to penetrate the network and facilities?
Is the security team able to track progress over time?
Does the security team have a view of the maturity of its program? Is there a clear roadmap for future progress?
What measures has the security team taken in the past six months to improve security posture? What results have they seen? How will they adjust the program moving forward?
5. Do political or financial considerations impact your ability to protect the organization effectively?
It’s the reality of every business that budgets and other resources are not limitless. Investment must be proportionate to the business growth and context. However, it is also worryingly easy to overlook financial or political constraints that can hamstring your security program. You do not want to become aware of fixable limits on the security program at the point that you are reeling from a security incident.
The challenges of internal politics may also hold your security program back and expose your business to unnecessary risk. Investigate the structure of your security organization, its reporting line, and its standing with key partner departments in the business such as IT, engineering, and legal.
Investigate any barriers that are limiting the effectiveness of the security program now, discuss them in an open environment with the organization’s leadership, and make informed decisions on how to move forward based on a realistic view of your organization’s risk tolerance and budget.
Are there any budgetary or political roadblocks to implementing foundational security controls?
Does the security team have adequate headcount and resources? How is the answer to this question determined? If not, in which areas are we below critical mass?
Does the head of security have the opportunity to be heard among the most senior executives in the organization?
Do the business leaders across the company truly understand the potential costs and implications of the business of being breached? Do they discuss risk tolerance and prioritization payoffs in an open, strategic way? Do they build resilience plans based on these discussions?
Is security considered an audit function, or does the organization strive to build security into its products, services, and operations by design?
Security is complex, constantly evolving, and often unfortunately viewed as a drain on the business. Yet the benefit and necessity should be clear: having an effective and well-managed security program is key to minimizing risk and building resilience for your organization. Every part of the organization must play a role in this, and must understand the security priorities for the organization—and that responsibility extends to the boardroom.
Corey Thomas is CEO, president, and a member of the board of Rapid7.