There’s a famous poem by Rudyard Kipling called “If—” that starts out with some advice for his son on the importance of keeping your head, when all about you people are losing theirs and blaming it on you.
Anyone that has ever been involved in crisis management knows how difficult it can be to hold down the panic and dread the inevitably attaches to a major cybersecurity breach.
Not only do most organisations have little confidence in their ability to manage a crisis, but the primary root cause is likely to be a cybersecurity breach. That’s according to a recent survey conducted by Ethisphere and law firm Morrison & Foerster.
The survey indicates that 67 percent of respondents said they have crisis management plans in place that specifically address a cybersecurity event. But two-thirds admitted they were either somewhat or minimally confident in their crisis management plan.
What’s interesting to note in the survey is that those that are confident in their crisis management plan share two attributes. They have a formal crisis management team that has a documented process to follow and they conduct drills on key risk areas at least once a year
Crisis management must be mandated from the top
The good news is that many chief information security officers (CISOs) are now playing a major role formulating those plans. Nearly half the survey respondents say CISOs play an active role in crisis response. A further 15 percent go so far as to put the CISO in charge of crisis response for all types of crises by default. The assumption, of course, is that CISOs have the most experience handling a crisis.
Whether it’s a CISO or another leader driving crisis management, they must demonstrate crisis leadership skills or acquire them – years of experience doesn’t make for good crisis leaders by default. They must strive to maintain credibility before, during and after any crisis. This is crucial to managing the outcome of the crisis and the company’s reputation.
Unfortunately, the more people involved in crisis management, the more contagious panic can become. Having more people involved, however, is unavoidable. Therefore, crisis management must include clear implementation steps throughout the entire organisation to weather the storm.
For publicly listed companies, a drop in share price is an immediate indication of the damage any crisis including cyberattacks causes. However, if handled well, this can bounce back. Cybersecurity breaches now also routinely affect company valuations, as the cost of remediating a major breach reaches into the millions of dollars.
What’s hard to assess is the impact on stakeholder trust – any loss of trust creates a reputable meltdown and must be avoided at all costs.
Cybersecurity teams are well advised to take the lead on either crafting or updating their organisations crisis management plan. Hopefully, putting such a plan into action will never be required. But given all the possible ways an organisation can be breached these days, most either already have experienced a crisis or soon will.
Weathering the storm
Those that have already experienced a major cybersecurity breach either thanked their lucky stars they had a robust crisis management plan in place … or very much wished they had one to follow. Once an organisation has been breached, there’s also a high probability that whatever plan was in place was also reviewed with some hard-won 20/20 hindsight.
An effective crisis response plan not only addresses what IT needs to do, but also how human resources, finance and public relations teams should respond.
Given all the teams involved, the first page of any crisis management plan should probably contain a copy of Kipling’s poem. After all, the single most important attribute in any crisis is arguably having the force of will to withstand the storm that will one way or another inevitably pass.
But in the absence of sheer determination, it’s always best to have a plan that keeps everybody focused on the immediate tasks at hand.
About the author
Andrew Huntley is the regional director for ANZ and the Pacific Islands for Barracuda Networks. For more information, visit: https://www.barracuda.com/