Steps CISOs Should Take Before, During & After a Cyberattack

In today's complex threat landscape, cyberattacks are inevitable. Malicious actors are becoming increasingly sophisticated, financially motivated attacks are becoming more widespread, and new malware families are being discovered daily, making it even more important for organizations — of all sizes and across industries — to have a plan of attack in place.

Detailed cyber playbooks are essential and should outline exactly what teams should do when an attack occurs, ranging from best- to worst-case scenarios, so that security leaders can mitigate the issue, reassure business leaders, and move forward as quickly as possible.

While each cyberattack is unique and requires its own procedure and recovery plan, there are three considerations chief information security officers (CISOs) should raise with their security teams and business leaders today to ensure they are prepared accordingly.

Before a Cyberattack: Educate Stakeholders

CISOs and security leaders should engage with business leaders about cybersecurity regularly — and well in advance of when an attack occurs. Education and generating awareness for those who may not be as involved in day-to-day security operations (i.e., the board of directors) is critical for avoiding certain surprises that often come with a security incident. CISOs should prioritize this education through:

By implementing the initiatives mentioned above, when an event does occur, CISOs can easily reassure stakeholders that the plan of attack that has been mutually agreed upon and tested is in motion.

During a Cyberattack: Prioritize Effective and Empathetic Communication

When a cyberattack does occur, it is imperative that organizations are able to quickly spin up their teams for response and activate on the roles and responsibilities that have been pre-established. The smoothest and most-effective responders are usually those who are well trained, well equipped, and have pre-staged the requisite tools ahead of time.

The way and tone that leaders communicate during a crisis is essential to effective cyberattack recovery. Leaders should integrate empathy into their strategy, providing impactful and effective reassurance to those impacted, both internally and externally, focusing on restoring stakeholders' trust.

After a Cyberattack: Reflect Without Blame

In a high-stakes, high-pressure environment like cybersecurity, it is imperative that organizations create an open space that welcomes honest and insightful postmortems.

After resolving issues from an attack, security teams should regroup and reflect on the incident to better understand the ways in which they succeeded and how they can improve moving forward. It's important that during these discussions that no particular individual is blamed, and that the focus is about understanding how the organization can improve. The playbook should be reviewed in detail with stakeholders to determine if there is anything that needs to be adjusted to make for a more effective response.

At Google, we adhere to the concept of blameless post-mortems — creating an open space that encourages frank discussions about what went wrong, what went right, and the lessons learned from the incident.

Ultimately, the goal is to avoid surprises before, during, and after a cyber incident. To achieve this, organizations should consistently communicate and educate stakeholders throughout the entire cyberattack cycle to increase the understanding of the event and avoid the same mistakes again. By creating a plan of action that is frequently tested, establishing roles and responsibilities, continuously updating playbooks, communicating frequently, conducting postmortems, and asking for outside help when needed, organizations can set themselves up for more success when it comes to responding to cyberattacks. We will never be able to avoid cyberattacks entirely, but we can always learn and become more effective in addressing them.