Taking care of business: The CISO's role in a cyber crisis

Cyber incident vs. cyber crisis

Enterprise cybersecurity teams might investigate hundreds or thousands of events in a typical day. Many events are harmless and don't require human intervention. Sometimes, however, an event becomes an incident. An incident is any event that compromises systems or data, violates policies or otherwise poses risks to the organization.

Many incidents are addressed by security teams or systems with minimal disruption or damage to the business. For example, if an employee clicks a phishing link that installs malware and the organization's antimalware detects and quarantines that malware, this is a security incident that doesn't further threaten the business.

If an event is not easily mitigated or neutralized and begins to affect production systems, data, business performance and reputation, it becomes a cyber crisis.

Common cyber crises involve data breaches, cloud outages, nation-state attacks, systems outages, infrastructure failures and natural disasters.

Cyber crisis management vs. incident response

Cyber crisis management is an organization's ability to effectively prepare for, respond to and recover from cyber incidents that impact operations, reputation, finances, personnel or security. It is a critical component of an organization's risk management strategy.

Incident response is also a part of risk management, but specifically deals with identifying, containing, eradicating and recovering from the cyber event.

In other words, incident response involves handling the incident itself, while crisis management involves handling the business consequences of the incident. Incident response is more technical and operational, whereas crisis management is more strategic and organizational.

The two are not mutually exclusive. Crisis management almost always includes incident response, but not every event handled by incident response is necessarily a cyber crisis.

The CISO's responsibilities in crisis management

In incident response, the CISO is in charge. In crisis management, the CISO is part of an executive leadership team handling the crisis.

In their everyday job, the CISO oversees a team of professionals managing day-to-day cybersecurity activities, including prevention, detection, response, mitigation and recovery. The CISO provides broad leadership to the team, ensuring resource availability and communicating the state of cybersecurity readiness to senior leadership. The CISO also ensures compliance with legal and regulatory requirements; collaborates with other business leaders to protect systems, data and services; and facilitates security awareness training for employees.

During a cyber crisis, the CISO transitions from an operational security leader to an enterprise risk executive. They must balance their technical capabilities with business needs and serve as a bridge between incident response teams, crisis management teams and executive leadership.

The CISO's role before a cyber crisis

CISOs are instrumental in identifying risks, threats and vulnerabilities that could escalate into cyber crises. As such, the CISO is a key member of the crisis management team, which also includes executive leaders and representatives from business continuity, disaster recovery, legal, compliance, HR and PR. External third parties can include incident response providers, cyber insurers and managed security service providers. CISOs help define the roles and responsibilities within the cyber crisis management team.

The crisis management team creates the crisis management plan. CISOs should help define escalation criteria so security and IT teams can identify when an incident becomes a crisis and know how to communicate this to the crisis management team.

The crisis management plan should connect with other emergency plans, including incident response, cyber-resilience, business continuity and disaster recovery plans. CISOs also help create playbooks -- step-by-step plans that outline what to do in the event of a given crisis.

Once the plan and playbooks are created, CISOs and the crisis management team should conduct cyber crisis exercises that test escalation procedures, communications plans, decision-making workflows, recovery and regulatory reporting, among other tasks. This involves conducting crisis simulations and tabletop exercises.

CISOs also help prepare executive leadership and the board for a cyber crisis. For example, the CISO explains to executives how and why cyber crises occur and their potential impact, and discusses the organization's plan for responding.

The CISO's role during a cyber crisis

After an incident is escalated to a crisis, the CISO's cross-functional responsibilities begin.

• Support security teams. With their technical background, CISOs lead incident response teams and activate the incident response plan, making response decisions, guiding containment activities and ensuring evidence preservation.
• Activate the crisis management team. The CISO or other appointed party notifies the crisis management team and initiates the crisis response process. The CISO can help delegate responsibilities as laid out in the cyber crisis management plan.
• Evaluate business risk and impact. CISOs take on a risk management role, evaluating business impact, assessing operational impact, and balancing security and business continuity measures.
• Communicate with executives. CISOs and other crisis team leads brief executives and the board on the situation, its impact and response efforts.
• Assist legal and compliance teams. CISOs work with legal and compliance teams to assess legal, regulatory and reputational risks; preserve evidence; and recommend when to involve external experts, regulators or law enforcement.
• Support communications and PR. CISOs help PR teams manage internal communications with employees and other stakeholders, as well as external communications with customers, partners and the media. CISOs can help determine how to be transparent without sharing too much information, while also maintaining trust among employees and customers.

CISOs must also consider the human element. A cyber crisis can be stressful and time-consuming. To reduce fatigue, CISOs should support leadership, fellow team members and employees throughout the process.

The CISO's role after a cyber crisis

Following a cyber crisis, the CISO and crisis management team lead restoration efforts. This includes prioritizing recovery, restoring systems, monitoring systems for residual risks and ensuring backups function as business returns to normal operations.

CISOs continue to keep executive leadership apprised of the situation, explaining recovery efforts, timelines and operational impacts. Follow-ups include supporting regulatory investigations, addressing audit requests, supporting law enforcement and maintaining clear communications with external parties.

Post-mortem analysis and reporting are key CISO responsibilities. This involves creating an after-action report that includes root cause analysis, event timelines and recommendations for improvements. The post-mortem report should measure business impact and the effectiveness of recovery efforts.

CISOs report these findings to executives, stakeholders and auditors. The report should include information on how the organization will improve its ability to prevent, detect, respond to and recover from future events -- for example, updating training, adopting new controls, implementing new tools, patching systems and updating existing procedures based on lessons learned. Specify whether teams will implement any improvements to the incident response and crisis response plans based on performance during the crisis.

Pitfalls to avoid

When filling the dual role of technical manager and cyber crisis leader, CISOs can make the following common mistakes:

• Incomplete information. Launching a response to a suspected crisis without sufficient detail can lead to problems such as unnecessary system outages or wasted effort. Gather and validate event data as quickly as possible, discussing it with the incident response team while refraining from speculation.
• Faulty communications. Raising the crisis flag before an incident has been validated can reflect poorly on the CISO, leading to loss of confidence from senior management and possible regulatory compliance issues. The wrong message can also damage the organization's reputation. Carefully validate all communications with PR and legal, use business language and document all communications.
• Failure to delegate. Failure to delegate key activities to team members can slow performance and increase the likelihood of mistakes. Delegate responsibilities early in the cyber crisis response process, and have confidence in the crisis management plan and playbooks.
• Neglecting legal and regulatory issues. If the CISO fails to gather data to demonstrate compliance with specific regulations, the organization could face fines and litigation. CISOs must be aware of all legislative and regulatory requirements, gather relevant evidence to demonstrate compliance, and coordinate with internal and external entities.
• Documentation challenges. In the middle of a crisis, it can be easy to forget to take notes on everything happening. These notes, however, are critical for postmortem, auditing and compliance. Designate a scribe to capture CISO insights and instructions during the event, take notes on the teams' activities and gather relevant system logs and event data.

Taking care of business

In a cyber crisis, the successful CISO needs to operate as a technician, an executive and a level-headed leader. For any CISO navigating a crisis, the emotional intelligence and business acumen displayed are just as important as the malware's potential to compromise systems and data.

Paul Kirvan is an independent consultant and technical writer. He has more than 35 years of experience in business continuity, disaster recovery, operational resilience, cybersecurity, governance, risk and compliance, networking and IT auditing.

Sharon Shea is executive editor of TechTarget Security.