A CEO’s 5 Golden Rules in Managing a Cybersecurity Crisis

By Haider Pasha

A cyber breach can cause untold damage to a company’s operations, sales, reputation and stock price. It can also suddenly end the successful career of a CEO or CSO, as happened with some cyberattacks in recent years. 

In fact, Allianz Risk Barometer 2020 – the largest risk survey worldwide – recognized critical business interruptions caused by cybersecurity breaches as the most severe risk to organizations.

Even for the best prepared, a cyber crisis could hit anytime. What should you do if you are the CEO of a hacked company?

Rule 1: Take command. This is personal.

Roll up your sleeves. Merely delegating the work to the IT team during a cyber breach can be dangerous for the company and for you personally. A number of CEOs of large companies recently learned this the hard way. Cyber risk does not affect only your IT network but also your overall business.

Operational disruptions and litigation costs have an immediate effect on your reputation if not prioritized correctly. Hence, it’s not surprising that shareholders are starting to seek personal consequences for companies involved with a cyber crisis. Effectively management of a cyber crisis involves board-level engagement at both the COO and CFO level. But a CEO is often the best person to manage it.  

Rule 2: It’s all about communication.

When hit by a cyberattack, nobody wants to be in the news and challenged by the public and press. Was it poor cybersecurity or a nation-state hacker?

A cyber crisis is almost always very complex. It can take months to years to answer all those questions. However, the right communication strategy will determine public opinion about how professionally you have managed the incident.

While we can only speculate about the success rate of incidents that were kept secret, there’s enough evidence to show this: Most large enterprises that tried to keep a cyber crisis secret and were busted afterward failed big time with their reputation. 

Moreover, you have to manage all relevant internal stakeholders and vendors to comply with potential regulations for obligatory reports. Some regulators ask for extremely fast reports, such as the Monetary Authority of Singapore (MAS) that demands notification within a few minutes. 

But there are many technical variables you can’t control. Treating your cyber crisis transparently will bring you benefits such as public support by authorities, researchers and customers. But you need to be ready to take the pressure in communication and execution.  

Rule 3: Access cybersecurity expertise. 

If you have not run proper tabletop exercises yet and your team has never dealt with a cyber crisis, don’t try to work it out alone. Instead, consider using the following stakeholders in the crisis process:

• Cybersecurity incident and crisis experts: Reporting of the crisis and technical analysis can likely be done more effectively by external companies that have dealt with similar situations or the same threat actor. For instance, most companies often lack legal experience or are not familiar with the Tactics, Techniques and Procedures (TTPs) of the threat actor.
• Security vendors: Most companies are shy to consider security vendors as partners. The reality is that security vendors are perhaps the best partners to help you mitigate the threat given their experience with your security controls. 
• Peers:  Cybersecurity is a team sport, so we have to be humbler when working with our peers or even competitors. Most of the threats your organization faces have already hit some of your peers. Engaging peers and asking for help is critical.
• Law Enforcement: In many countries engagement of law enforcement is more of a formal act to register the incident. However, some countries have strong capabilities that focus not only on investigation of the threat actors but also help defend your networks. To address the problem of cybersecurity in a sustainable way, it is always good to engage with law enforcement during or after an incident.

Rule 4: Use smart containment.

Containing a cyber crisis could take years if you randomly follow all recommendations available out there. How do you challenge your CISO on the balance between incident containment and keeping the business going and avoiding panic mode? 

Instead of doing everything, your task force can apply a risk-driven containment approach addressing the most important questions: 1. Why were we hacked? 2. What are our crown-jewels and were they impacted? 3. How do we mitigate the threat? 

In order to understand how to mitigate the threat, you have to triage the first and second question properly.

For all targeted attacks aimed specifically at your company and with a defined purpose, such as trying to steal information for espionage or to sabotage the IT system, there is one key question you should always ask your CSO: Have we identified patient zero? 

Similar to virus outbreaks in our human world, patient zero can help you reconstruct the path of attack and identify potential hidden backdoors the attacker created as a backup in your network in case he gets identified.

Rule 5: Be safe, don’t be sorry.

How has the cyber breach impacted your business from a reputational, legal, financial and technical point of view? Have you lost money because you weren’t able to run a server for the last 20 hours? 

Estimate the overall cost of the attack. Look for an ongoing operational impact if time was lost working on important projects. This analysis is not only required in case you have hedged your cyber risk with insurance but will also help you derive your investment required in cybersecurity. 

Cyber resilience in a nutshell

No matter your industry, a proper cyber resilience plan is a must if you want to be prepared for the worst-case scenario. Reducing the scope of damage caused by a cyberattack is the primary aim of a cyber resilience plan. Attempting to secure the network is one thing. But activating a well-thought out and stress-tested business-continuity plan in the event of an attack can save your organization enormous money and time. So be well prepared.