I am sure some of you out there would argue that being a CISO can be a full time crisis management position in itself more for those that tend to report to CIO’s maybe?. A cyber security incident, leading to a crisis situation in critical national infrastructure or related to national security could lead to the potential loss of life. However for the majority of us in the private sector, it could mean some level of potential damage to your company’s reputation, share value and market position and in some cases the loss of your role. On the other end it may lead to a false positive and there is no impact at all. I am not claiming to have the answer but wanted to share a few thoughts on the subject as there is more to this in my opinion than following a process of a documented, formally approved, tested set of plans bi-annually.
Does your organisation overcomplicate or underestimate it? Or does anyone actually care until something does go wrong and you all blame the person that has just left the room? So where is the balance, the middle ground? Every organisation must effectively understand what is important to them to really understand how they need to act and not react in the event of a cyber-crisis. But the best laid plans cannot and will not replace one thing, the human element which I come back to. Personally I rely on facts and try to keep the following in mind (in no particular order)
What business impact has the incident caused and does that severity justify a crisis call / escalation?
If yes, has the incident directly or indirectly impacted the customers we service or the staff we employee?
Has the incident put any of our customers or staff in danger?
Has the incident broken any laws or breached any local regulatory requirement?
Should or when do I involve law enforcement?
My initial reaction to answer my own question; I would take a logical approach in my attempt to resolve the issue understanding that in order for me to do that, I need the support of others. As humans we are all wired differently and have different emotional and logical responses to different situations. To effectively get the answers to my 5 point plan above - to me is more about Leadership & Teamwork. Without that bi-directional support you will fail. Being directive is one thing. I have seen some of the most seasoned executives make mistakes in crisis situations, not because they are incapable or lack the knowledge; they just have a different way of dealing with things, especially a crisis. Some CEO's, CRO's & CIO's I have worked with don't want to recognize the problem in the first instance and lack the ability to understand when we are in crisis mode what to do. Something firms needs to start to recognise when assigning responsibility to Crisis Management Teams.
On August 2nd 1990 Iraq invaded Kuwait. It was swift. It only took a matter of hours for the Iraqi Republican Guard to take the capital / airport/ radio and TV stations. Kuwait had a nationwide emergency broadcast system. That went off around 12 noon / 1pm on the 1st of every month similar to the ones used during WWII. Its intent, warn the population of a potential attack. It failed to go off on the morning of the invasion. I know this, as I was there. Being in a conflict zone has a tendency to put things into perspective. If it was not for the direction and leadership of my parents, the support of my mother and sisters, the help from friends and care and selflessness of strangers, our lives could have been very different. On hearing the news of the invasion, there was little time to react emotionally, we needed to act logically. No planning in the world can in my view actually prepare you for such a crisis. Looking at it today– all the signs that the conflict between Kuwait and Iraq would have resulted in the invasion are very clear, the intelligence was there. On the other hand, I was 14; I had a party to go that evening! No real understanding of what was going on or what the impact would have been. Reality for me set in only about 3 days later. When Iraqi forces started to shell a Palace about 1/2km from where we lived. Looking back on that day, we had a matter of hours to make decisions, without the knowledge they could be life threatening. 40 days we were back in the UK. How we got there is a whole another story.
As CISO’s as much as we want to rely on dealing with incidents and a crisis in a set formulated manner – I think in the end the area in which we work is ever changing, there is fluidity to it. I think we need to start building that into the fabric of the operating models we develop to ensure effective and practical cyber resiliency. Educate and communicate with your teams in the first instance closing the knowledge gap so your teams can act and not react simply put they can see the difference between a problem and a crisis. Educate the business so to reduce the risk of the incidents (though hard it is one of the most effective’s ways to prevent cyber incidents) be intelligence led. People are busy (or they claim to be), therefore you need to be factual if don’t know, don’t make it up. In the end, take responsibility. It is not someone else’s problem to resolve.
To answer my own question again; how would I react to a Cyber incident or Crisis, I think with logic, but leaning into my emotional intelligence to get the results that are needed. In a crisis, it can be all emotion the key is to distil the logic….
Thoughts….