The CISO’s Response Plan After a Breach
There’s no escaping the fact that post-breach leadership is a part of every security team member’s job. Spearheading post-breach action and recovery is the ultimate test of a security leader’s skills, confidence, and mettle. But it is also an opportunity for you and your organization to collaborate and shine in the face of adversity. In our recent webinar, The CISO’s Response Plan After a Breach, Exabeam Head of Security Strategy, EMEA, Sam Humphries, and Exabeam Chief Security Strategist, Steve Moore, help you navigate the waters of post-breach response for when the inevitable occurs — whether you’ve lived through the experience of a previous breach, or are patiently waiting your turn.
In this article:
- What can you do to prepare before a breach occurs?
- When a breach occurs, manage the message
- When to communicate with and without emotion
- Fostering a culture of learning
- A root cause analysis now can help in the future
What can you do to prepare before a breach occurs?
There are many things to do before a breach occurs to ensure you are equipped to respond quickly and efficiently. First, it’s important to become acquainted with your key stakeholders so that you aren’t meeting them for the first time during a breach. Steve says, “You don’t want to have to make introductions during a crisis. The more introductions you make during a crisis, it is an indicator. The greater that number, the lower level of preparation you’ve had.”
There are other things that need to be prepared before a breach actually happens, such as a breach notification letter. You don’t want to be struggling to put together the breach notification letter while also trying to alleviate a breach. Along with this, it’s also crucial to do a breach simulation. Steve suggests, “Do the simulation and look to see how uncomfortable everyone is when you write your own preemptive note (breach notification letter); it’s your sort of public failure, but see who’s uncomfortable. Talk about the following questions: Where do we host it? How do we notify? Who do we contact? What’s the tone?”
When a breach occurs, manage the message
A breach notification letter should include enough relevant information but does not need to include every little detail of the breach. Steve explains, “You’re not trying to hold information back, but that source of truth doesn’t need to be shared with everyone. And that includes the internal company as well. They’re going to be really curious. They don’t need to know everything. It’s not because you don’t trust them, it’s that you have to manage the message. I would encourage you to share as much as you’re able to. Say as little as possible, but be as truthful as you can.”
When a breach does happen, people of authority are going to be very eager for updates; make sure to let them know when they will be receiving them. These are the people who will be talking to the media, lawyers, and others. “What they should and shouldn’t say is going to get mixed up,” Steve says. “You have green phrases and you have red phrases, and you want to keep them focused on the green phrases. These are the themes that we’re going for.” Make it clear what phrases are green and what phrases are red when speaking to outside sources. For example, if it’s a rumor that the breach was started by a nation-state, this is considered a red phrase and should not be discussed. It is crucial that everyone is aware of what should and should not be shared.
It’s important to know who will need to receive a situation report or SITREP, and when. “Depending on where you are in the world, you may have various authorities that you need to notify at the point of a breach,” says Sam. “They may have different requirements as well. The external authorities’ rules may differ around how to notify customers and third parties.”
It’s also important to know who should deliver this message. Steve adds, “Whoever manages this message can’t always be the same person — you’re going to have to delegate that sort of authority because there’s going to be so much heat on you and on your team. Speed is very important in many cases. Depending on the type of breach, you may be asked not to notify for a certain period of time, if it’s ongoing, especially in cases of espionage.”
Steve and Sam agree that you need to have a single source of truth when a breach occurs. This means that only a small team of people know exactly what is going on and what is the actual truth of the matter. “You don’t want to have multiple sources of truth,” Sam says. “You need to keep that core group very tight and you have to keep the message even cleaner.”
Part of your planning is to make sure people understand how to deliver a message in a crisis. It shouldn’t just be a case of reading it and saying, “I can’t tell you any more.” If you have somebody screaming at you down the phone or at a front desk, what can you do next? Where can you point someone to get further information? Do you have an automated communication service that customers can sign up to be able to get those next updates? All these things need to be ironed out before you end up in a breach situation. The clarity on when they’ll get the next update and that you stick to that is really important.
When to communicate with and without emotion
If you’ve experienced your data being breached, then you have likely received a letter from an organization that “starts with this glorious sentence,” says Sam. “‘We take the security of our customers very seriously.’ It has been overused, any sense of emotion has gone now, and it’s become a running joke in the security community because it doesn’t feel like it’s actually true and well-meant. So please stop using this phrase.”
Steve explains that there are other ways to prove or disprove that you have a well-intentioned security program and that keeping your customers’ information secure is something you truly do prioritize. “If you’re in the position where you have to communicate this — outside of a breach scenario — list facts of the great capabilities you have,” he says. “Rather than just sharing platitudes, focus on the capabilities that you’ve built, what you’re able to do, and how well you do it. What is your maturity and efficacy along that curve, rather than just making these sort of grandiose statements; they will be used against you.”
Many organizations retain professional crisis managers and communication experts to train and coach spokespeople for speaking to the media. Media training involves helping with not only what to say, but how to say it — which words to use and what tone to deliver them. It’s important to identify who will represent the organization, and which security team members will coach them on the message. If it’s the CEO or another executive, they’ll need to be comfortable talking publicly about security concepts in a convincingly knowledgeable way. “The best organizations practice this,” says Steve. “Being able to deliver it calmly and maybe with less emotion, in that regard, in terms of the practice of the delivery is important, but having some emotion like any other situation, that’s excellent internally to say, ‘Hey, this is our time to define ourselves. This is an awful situation, but we will be known more for the way we respond to the breach than the breach itself. So this is our time; you’re going to learn.’”
Here are the top tips for delivering a message:
- When communicating in print, be factual first
- Don’t downplay the event when you have all the facts
- Be genuine
- Own the failure
- Show empathy for the recipient
- Whoever delivers your external message must be trained and have the right support
Fostering a culture of learning
A breach is an ideal time to learn from your mistakes and prevent these mistakes from happening in the future. Steve explains, “You have a mission, you have a team, you are part of this organization. You’re proud to be a part of it, hopefully, but you also have to manage the optics of your brand as well. A breach is a perfect time to learn and can be beneficial for leadership and career development. So the breach happened, you can’t change that. We’ve already missed out on the opportunity to prevent that. Once it’s happened, what do you make of it?”
A root cause analysis now can help in the future
Sam firmly believe that root cause analysis is a necessary step to take to understand why the breach happened and how to prevent it from happening in the future. “You have to do this,” she says. “I can’t stress this enough. I’ve seen enough times where there’s been a breach or an incident at an organization where they have gone back to business as usual, and then kind of shut the book and said, ‘All right, well done everyone. Thanks. Let’s just get on.’ And then the same place next week is pretty much where we’re going to be at. You have to follow this circle. If you ignore the post-breach activity, which can take months, months into years sometimes, you will find that you are in a world of pain very, very quickly. And I say this, having seen it many, many times over.”
Steve advises that you should write up observations that lead to future change. For example, “there’s a reason why we think this failed, or there’s a reason why we can’t answer definitively why this happened. We have a gap in visibility, we have a gap in capability, or we know that this is an issue with permissions in temporary directories on workstations,” he says. “Those observations should roll up into some kind of risk register. And that allows for future cooperation, maybe investments, and organizational change. So your observations, your intelligence should drive maneuvers, is what they say. So focus on that.”
For more insights, watch the webinar or read the transcript.
36 InfoSec Resources You Might Have Missed in October
Understanding UEBA: From Raw Events to Scored Events
Subscribe today and we'll send our latest blog posts right to your inbox, so you can stay ahead of the cybercriminals and defend your organization.
See a world-class SIEM solution in action
Most reported breaches involved lost or stolen credentials. How can you keep pace?
Exabeam delivers SOC teams industry-leading analytics, patented anomaly detection, and Smart Timelines to help teams pinpoint the actions that lead to exploits.
Whether you need a SIEM replacement, a legacy SIEM modernization with XDR, Exabeam offers advanced, modular, and cloud-delivered TDIR.
Get a demo today!