RSA CONFERENCE 2023 – San Francisco – The difference between a cyber crisis and any other type of emergency response is the unknown and the speed of events.
In an earthquake, you know what knocked down all the buildings. In a fire response, firefighters get an address. But with cyberattacks, answers can be much more illusive.
Even so, decisions still must be made quickly — and decisively — in order to mitigate the damage.
"A delayed decision is a decision," John Carlin, partner at Paul Weiss, said here in a panel this week entitled "Surviving the Breach."
Carlin, who has coordinated response plans at the highest levels of government, along with Brad Maiorino, CISO at Raytheon Technologies; Chandra McMahon, CISO at CVS Health and former CISO for Verizon; and Siobhan Gorman, a partner focusing on crisis, cybersecurity, public affairs, and media relations for the Brunswick Group, shared how they navigated cyber incidents and emerged on the other side with their careers and reputations intact.
Planning and developing a useable, flexible incident response playbook is important, as is working through everything from setting up Bitcoin wallets for potential ransomware payments, building a relationship with a professional negotiator, and even sitting down with general counsel to outline potential responses, according to the panelists.
Utterly mundane details can be easily overlooked, like having the appropriate stakeholders' (like the FBI) contact details written down or stored someplace outside the downed systems. So designate an incident commander, McMahon said, adding that the CEO isn't the right person to take on that role. The incident commander should be someone with cybersecurity knowledge.
Expect Wild Cards
McMahon said managing incoming data and challenges can make or break an incident response. She recommends planning for "wild cards" in the response.
"You don't know what form or flavor they will come in," McMahon said, but human behavior is one of the most predictable wild cards in any given response. It's natural for employees to participate in the response, even when they might not have any expertise in the area. That could include their speaking without authorization to the media, or even customers ahead of the orchestrated response.
"There is energy there and people just need somewhere to put all their energy," she said. "They want to be part of the response. It happens consistently."
To help identify legal ramifications of a breach, the panelists recommended keeping legal counsel close in an event.
External counsel can hold onto data and keep it under attorney-client privilege protections, as well as an SEC attorney who can provide guidance on disclosures so a company doesn't wind up disclosing too much or too little because of a misunderstanding of the rules.
"I treat the legal team as an extension of our team," Maiorino added.
Corporate Values Should Drive Response Decisions
When it comes to surviving a massive breach, corporate values can provide a guiding light for making the right moves, they explained.
Gorman used the example of the Under Armour MyFitnessPal compromise she and her team worked on a few years ago. Under Armour turned to its two top stated priorities to decide next steps after the breach, transparency and caring about athletes, she said. The company decided to proactively alert the affected 150 million users that they were potentially at risk as soon as possible so they could take steps to protect themselves, she said.
Gorman and her team headed up that disclosure in just four days, she said.
Maiorino said keeping the focus on customers is the best path forward. "This is my opinion," Maiorino said. "but CEOs who put customers first do better than those who didn't. Customers recognize that and come back."