The role of the CISO during a cyber crisis

By: Stephen Moore

The role of a chief information security officer (CISO) can never be miscategorized as low-stress.

As cyberthreats become more incessant and malicious, a CISO’s job is increasingly difficult, and the challenge of safeguarding corporate, customer and employee data along with intellectual property becomes even more challenging. The person hired for this position must understand how to react during a cyber crisis in order to help mitigate any damages and manage the corporate security strategy together with C-suite support.

A cyberattack can take any company by surprise. Depending on how quickly and efficiently the CISO responds, can set the tone for how much damage is done to the company’s reputation and financially. When a CISO is prepared and aligned with other C-suite professionals, it is possible to undermine some of the negative effects of the cyberattack. The following steps will illustrate how the CISO needs to react during a cyber crisis.

Anticipate an Attack Before it Happens

The best individuals for CISO and corresponding C-suite roles are always prepared. Before any attack results in a breach or other serious consequence, you want to have an effective incident response policy. By creating this policy, it establishes processes and procedures based off of best practices you’ve observed. As you establish your protocol, keep in mind who you want to be on your computer security incident response team (CSIRT). A CISO should ask themselves the following questions:

●      Who would be the most effective during a cybersecurity crisis (CSIRT)
●      What responsibilities each involved party should have
●      How you mobilize and when you mobilize each involved party

In addition to understanding everyone’s role during a cyber crisis, it is important to also budget for these incidents. Since cybersecurity incidents can happen at any time, it is important to have staff around the globe or around the clock.

Contain the Breach and Discover the Details

After an organization discovers their network has been compromised, it is important for the CISO to ensure the devices that might have been affected are taken offline, but not to shut down anything. This is so that communication between the devices can be contained but there are still clues about how it happened. If it is possible, take a screenshot of any suspicious activities on the screen for the security team to analyze. A CISO needs to make sure either themselves or another security team employee advises all employees of the company to change their password, in case the adversary is using stolen credentials.

With the support of their team, it is a CISO’s responsibility to determine the following details of the breach.

●      How did the breach happen? Was it stolen passwords, a particular vulnerability? An unauthorized, tampered-with device?
●      How much was impacted? What information was accessed? What systems were compromised? Which accounts may have been used?
●      What is your plan to stop it and how will you prevent this type of attack in the future?

Assemble Your Team

As soon as disaster strikes and details of the breach are discovered, the next step a CISO should take is to let their CSIRT team know.  After this, it is important for the CISO to brief other C-suite members, as well as appropriate parties such as the legal, PR and customer relations teams. In addition, involve HR and corporate communication teams so they can properly disclose a breach to customers. Consider whether or not there will need to be any investigation into the breach. Incorporating these groups of people will ensure the rapid recovery of systems impacted by an incident for a business community.

Inform the Public

Perhaps the most important step to mitigating any damages that were a result of the breach is how a company addresses the issue with the public. Together with the PR team, legal team and other C-suite members, align on how to make the announcement. Companies should inform their customers what information of theirs might have been leaked, how long the issue was going on, how the problem is being fixed and steps customers can take to protect themselves without putting the company further at risk.

Assessing Where to Go Next

Once the breach has been contained and the public is informed, the CISO then must take steps to ensure the same attack will not happen again. CISOs and other C-suite members must assess any gaps in training, awareness, security measures, technological capabilities or some other point of entry. By actively collaborating with security analysts, CISOs can bridge the divide often felt by their teams and avoid problems. For a considerable time after the breach, a company should have their security team focus on reducing the risk of a recurrence by testing for and patching vulnerabilities, incorporating encryption and using two-factor authentication testing.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.