3 Steps Executives and Boards Should Take to Ensure Cyber Readiness

COMMENTARY

The new Securities and Exchange Commission (SEC) rules on cybersecurity risk management, strategy, governance, and incident disclosure recently went into effect, and organizational approaches to cybersecurity incident response are top of mind for stakeholders at both public and private companies. While most executive leadership teams and corporate board members assume their organizations are ready for a potential cyberattack, recent events have shown that many are ill-prepared to handle what will be their worst day on the job.

A company's response to a crisis is a direct reflection of its preparedness. Rather than focus solely on what happens during and after a cyber incident, executives and leadership teams must first understand that the period preceding an event is most critical. Organizational remediation efforts can and should be developed, tested, and implemented before an attack happens. It is imperative for those at the top to use this time to evaluate how well their teams will respond when thrust into a dire situation and take the necessary steps to ensure cyber readiness.

Develop and Implement an Incident Response Plan

Far too many organizations find themselves in the middle of a cyber crisis without a formal response plan in place. Companies make critical errors that can compound the financial and reputational damage associated with a cyber incident due to the simple fact they do not have established roles or responsibilities or a documented chain of command to handle this sort of situation. Within the first hour of the crisis, we see the most instances of job bias emerge and lead to a significant number of mistakes. During that "golden hour," people are unsure of what to do, but they inject themselves into the crisis because they believe it is their job to do something. This lack of understanding ultimately slows down the recovery and remediation process.

There isn't a single blueprint on what an incident response plan should look like, because each crisis is different. However, executives, board members, security teams, and others involved must know who takes the lead in responding, what each person's responsibilities are, and what steps should be taken to communicate internally and externally. The formal incident response plan should include an identified incident commander who works across lines of business and divisions within an organization to ensure each person and department understands the situation and handles their duties as assigned. The incident response commander will also be charged with contacting the company's third-party experts, such as legal, incident response firms, ransom negotiators, and public relations, to ensure they are aware of what has transpired. The cyber incident response protocol should be incorporated into the broader organizational crisis response plan, frequently reviewed and updated as necessary.

Stress Test the Response Plan in an Active Simulation

Planned actions can easily be lost in the chaos during a real cyberattack because of the natural psychological response employees have to a crisis. Leaders must understand that those involved in the attack will experience a rush of cortisol, the stress hormone that creates a "fog of war" during turbulent times, and it can lead to additional issues. The most common problem is the inability to validate and verify information. A person's interpretation of what has happened or what has been shared with them can differ significantly from the facts of the incident. The result can escalate a single piece of information about a potential event and turn it into a full-blown crisis.

The best way to evaluate how teams will react to a cyberattack is to put the formal incident response plan to the test. Tabletop and wargame exercises are immersive experiences, conducted in a controlled environment, that prepare enterprises to face and mitigate a potential attack. This gives every person within the organization the opportunity to feel, act, and behave as if they are in the midst of an attack situation. These training exercises allow teams to experience that rush of cortisol, learn how to handle and manage it, and develop the necessary discipline to execute the response plan. This also provides leadership with visibility into how an individual's response impacts the holistic approach to remediation.

Evaluate the Plan's Efficacy and Improve it 

Once the organization and its cyber incident response plan have been put to the test, the next step is to evaluate the efficacy of the plan and identify opportunities for improvement. It is important to note where the fundamental breakdowns occurred and what can be done to address them. For example, if the communication cadence faltered, why was the team unable to contact the appropriate stakeholders? Was it procedural or did the incident commander not fulfill his or her duties? Leadership should know if it is a matter of committing additional resources to enhance security posture or if they need to incorporate different organizational leaders to spearhead response efforts.

Executives and board members must consider how prepared their team is before the attack happens and how it behaves during the crisis, and understand that the challenges from the wargame exercise are going present themselves when a real attack occurs. It is imperative for leadership to be involved in the evaluation process, as the final decisions will have a widespread impact on key stakeholders. The ability to comprehend how each choice impacts and improves security posture and coverage will boost employee engagement, which is paramount to successfully defending an organization.

Cybersecurity has become a board-level issue in recent years, and it must remain a priority moving forward. It is incumbent on executive leadership to be well-informed about their organization's security response plan and how people respond before, during, and after a cyber crisis. By proactively evaluating their response protocol before an attack begins, board members and executives can shore up their defenses against emerging risks and ensure cyber readiness.