A panel of security leaders coached the audience at SC Congress Toronto on implementing effective incident response programs at their organizations, regardless of size.
On Thursday, Spencer Wilcox, managing security strategist and special assistant to the CSO at energy provider Exelon Corporation, Phil Lambert, director of information security at Granite Services, and Greg Thompson, vice president of operational governance (IT Risk) at Scotiabank, spoke to attendees during the morning keynote.
Scotiabank's Thompson advised organizations faced with responding to breaches or other cyber security incidents to simply “say what you know and don't pontificate on what you don't know,” following an event. Speculating about the root cause of the problem, or origin of the issue, could lead the public or media “down a rabbit hole,” which companies might be hard pressed to extract them from.
“Don't obfuscate the truth,” Thompson said. “Don't guess about what the problem could be,” he added, advising attendees to engage the help of involved law enforcement, as they are adept at communicating with the public on urgent matters.
Also, when speaking with company management or top executives about cybersecurity incidents and risks, it's important that practitioners are “not dumbing things down.”
“It's naive to think they can't understand this,” Thompson said, arguing that executives are tasked with staying abreast of other complex and important matters impacting their businesses, like legal requirements and financial reporting obligations.
“We are at the point now where there is a huge demand about this topic,” he said of cybersecurity.
Granite's Lambert also said that IT teams and the C-suite need to find “common ground” before an incident occurs and communicate regularly with one another.
Regarding crisis management, Thompson at Scotiabank said that companies must exercise their muscles, so to speak, in regard to their incident response plans and utilize training resources, when possible.
Thompson added that his own company has engaged in ransomwear attack exercises, for instance, which employees at the executive level exclusively participated in.
In addition to preparing the organization to appropriately respond to cyber attacks, the exercise also forced management to face philosophical questions like, “Would we every pay?”
Spencer Wilcox at Exelon also offered incident response guidance for smaller businesses, which may have few to no IT security staff at their company, and less mature incident response programs, if any, in place.
He advised small organizations to “start from the bottom up,” when developing a response plan, meaning they should look at the basic operational impact varying incidents may have on their business.
“Look at your recovery capabilities first,” Wilcox said.