Crisis management needs to become a regular cybersecurity routine
There’s a famous poem by Rudyard Kipling that starts out with some advice for his son on the importance of keeping keep your head when all about you are losing theirs and blaming it on you. Anyone that has ever been involved in crisis management knows how difficult it can be to hold down the panic and dread the inevitably attaches to a major cybersecurity breach. Unfortunately, a new survey of 248 business leaders conducted by Ethisphere and the law firm Morrison Foerster finds that not only do most organizations have little confidence in their ability to manage a crisis, but the primary root cause of the crisis is also likely to be a cybersecurity breach.
A full 67% of respondents said they have crisis management plans in place that specifically address a cybersecurity event. But two-thirds of the survey respondents admitted they were either somewhat confident (56%) or minimally confident (10%) in their crisis management plan. The survey also finds that those that are confident in their crisis management plan share two attributes. They have a formal crisis management team that has a documented process to follow and they conduct drills on key risk areas at least once a year.
The good news is the survey also finds many chief information security officers (CISOs) are now playing a major role formulating those plans. Nearly half the respondents (48%) says CISOs play an active role in crisis response. A further 15% go so far as to put the CISO in charge of crisis response for all types of crises by default, the survey finds. The assumption, of course, is that CISOs have the most experience handling a crisis.
Unfortunately, the more people involved in crisis management the more contagious panic can become. Having more people involved, however, is unavoidable. Cybersecurity breaches now routinely affect company valuations as the cost of remediating a major breach reaches into the millions of dollars. Cybersecurity teams would be well advised to take the lead on either crafting or updating their organization's crisis management plan. Hopefully, putting such a plan into action will never be required. But given all the possible ways an organization can be breached these days, it’s probably most organizations either already have experienced a crisis or soon will. Those that have already experienced a major cybersecurity breach either thanked Providence they had a robust crisis management plan in place or very much wished they had one to follow. Once an organization has been breached, there’s also a high probability that whatever plan was in place was also reviewed with some hard-won 20/20 hindsight. An effective crisis response plan not only addresses what IT needs to do, but also how human resources, finance and public relations teams should respond.
Given all the teams involved the first page of any crisis management plan should probably contain a copy of Kipling’s poem. After all, the single most important attribute in any crisis is arguably having the force of will to withstand the storm that will one way or another inevitably pass. But in the absence of sheer determination, it’s always best to have a plan that keeps everybody focused on the immediate tasks at hand.