Organizations spend a lot of time, resources and money on avoiding data breaches. Some organizations even go as far as hiring experts for testing and penetrating company systems to provide assurances of breach mitigation. However, breaches do occur, and companies need to spend as much time thinking about breach avoidance today as they do planning for the time when a breach does occur.
Why is a data breach plan so important? As the media has begun to focus on data breaches—and the general population begins to take an interest—cyber breach mitigation has moved beyond a mere technology issue. In other words, the damage of a breach is often determined by the courts of public opinion and perception. How companies handle the event can often determine if the company and its leadership will be able to survive the public courts; if the company is publicly traded, the stock price can become an issue, as well.
The best defense is a proactive, offensive strategy. For this to occur, CISOs need to take an active role in preparing for a breach. Data breach preparation must go beyond technical risk assessments or penetration testing to ensure the IT systems are secure and include key parts of the business. This is often documented in the form of a breach-response plan. Some organizations might extend existing processes to include cybersecurity, often in the form of a crisis-management plan. Whichever way you go, the plan needs to be documented, reviewed, and, most importantly, invoked in preparation exercises.
A breach-response plan should address, but is not limited to, the following considerations:
- Assign an executive sponsor. This should be someone within the organization responsible for key issues impacting the company. I recommend tapping the COO or similar executive. Successfully making this a non-technology issue can often be overlooked if the CISO or CIO takes the lead. Make no mistake, those executives will lead this; but the business plays a critical role, so make enlist someone from as high up in the organization as you can to keep the business’s skin in the game.
- Know the key roles and responsibilities. This might seem simple, but it’s not. Why not just have people do their day jobs when responding to a breach? During a company crisis, people will—and must—have clear, specialized roles servicing the crisis resolution. And don’t forget to identify a delegate. Assume that not everyone you have assigned is going to be available for all breach situations, so document a delegate for each.
- Use current and past breaches to formulate strategy. Your plan needs to have a clear objective. It should focus on rapid recoverability, quick response to data discovery, and use of law enforcement, as applicable. Studying similar, prior breaches is a great way to formulate your plan of attack. Reflect on key mistakes and identify actions that provided confidence and assurance to the court of public opinion.
- Ensure that media/PR teams are key stakeholders. As stated, a large part of your breach response is communication with customers, the board, investors, and the public. Quickly determine who in the company can, and should, be leading this. It may not be best to assume it is always the CEO—it could be the CISO or someone else from whom people want to hear. Often, it will be a combination of several leaders, depending on the nature and scope of the breach.
- Have a bench. Technically speaking, this could be an external third party on retainer to augment the core teams, as well as provide unique expertise. Again, think beyond the technical. Your media teams might need a crisis-management third party. Your cyber teams will want a forensics capability. Often, for the sake of objectivity, these roles are not solely based on talent; they could, instead, be about trust. Third-party validation goes a long way. And don’t forget about business operations. Call centers, for example, can be built to manage general support. A third party should be able to come in with a pre-developed script ready to support and burst those calls.
We could go on, but the point is to spark a tone in which the CISO and cyber teams are thinking about a breach plan that is well-documented—based on historical scenarios—with broad business representation, including the ability to extend to third-party resources where necessary.
Then, once you have such a plan in place, be prepared to throw it out the window. Read part 2 of this article next week to find out why.