Effective crisis management for CISOs

In an era where data breaches, ransomware attacks, and cyber espionage are no longer outliers but distinct possibilities, the role of the Chief Information Security Officer (CISO) has never been more crucial. Yet, despite mounting challenges, the expectations from stakeholders for a seamless, secure user experiences have also grown exponentially. This dynamic creates an environment in which the potential for a crisis is ever-present.

A crisis can often be a defining moment for an organisation, and even more so for its CISO. How well a crisis is managed can set the tone for stakeholder trust, regulatory scrutiny, and the long-term credibility of the IT security function within the business. While traditional risk management strategies focus on risk identification and mitigation, crisis management goes several steps further, emphasising preparation for breaches, decisive action during the crisis, and post-incident reviews aimed at systemic improvements.

For CISOs, the ability to navigate the stormy waters of a crisis hinges on readiness, effective management, and a culture of continuous learning. This article aims to serve as a comprehensive guide to help CISOs prepare for, manage, and learn from cyber crises. By addressing the lifecycle of a crisis — from initial preparation to post-incident review — this article will equip you with the insights to manage crises in a way that minimally impacts the organisation while maximising learning and future preparedness.

Preparation for crisis: A deep dive

Identifying and prioritising scenarios

• The first step in effective crisis management is knowing what you're up against. This involves identifying cyber scenarios that are likely to occur and would have a high impact. Some common scenarios might include ransomware attacks, data breaches, and insider threats. Once you have a list, work with your IT Security team to clearly articulate roles and responsibilities for each scenario. A step further would be to detail interdependencies with other departments, such as IT Operations and Legal. Knowing how your actions integrate with the wider organisation can streamline your response and provide a more coordinated effort when a crisis strikes.

Skill mapping across the IT footprint

• Next, understanding the skill set of your team is vital. Create a comprehensive list of IT Security personnel, noting their areas of expertise, certifications, and experience. This is more than a roster; it’s a resource that allows you to deploy the most appropriate individuals for any given crisis.

Coordinating with third parties and agencies

• External partners can provide valuable assistance during a crisis. Identify key organisations, whether they're government agencies, law enforcement, or third-party cybersecurity firms, that can be consulted or brought in for support. Have clear protocols for when and how these entities will be engaged, and establish pre-emptive communications where possible.

Organisational synchronisation for crisis management

• Every organisation has its own approach to crisis management. A CISO’s methods should be in lockstep with the organisation’s wider strategy. Identify the key decision-makers and chain of command in your organisation and establish clear communication channels. Make sure your crisis management plans are aligned, and regularly review them for any changes in organisational structure or strategy.

Scenario-based training and exercises

• Paper plans are a good starting point, but the real test of your crisis management capabilities comes when they are put into action. Regularly schedule and run exercises that simulate crisis scenarios, involving not just the IT Security team, but other relevant functions such as IT Operations, Public Relations, and even the Board Document the outcomes, identify gaps, and iterate your crisis management plans accordingly. Use these exercises as an opportunity to validate and, if necessary, challenge the assumptions underpinning your strategy.

Continuous updates and reviews

• The cyber landscape is dynamic, and your preparation should be too. Constantly update your top 10 scenarios based on evolving threats. Likewise, keep your skills matrix and external agency relationships updated. Regularly revisit your preparation plans, ideally aligning this with a risk assessment to ensure that the preparation is commensurate with the risks you face.

Managing the crisis: The eye of the storm

Calm and collected leadership

• When a crisis erupts, emotions run high and the pressure to act swiftly can often lead to rash decisions. It’s vital for the CISO to exhibit calm and collected leadership. The aim is not to completely remove emotion but to harness it in a way that leads to thoughtful and decisive actions. Practicing this mindset during your scenario exercises can train you and your team to make better decisions under stress.

Questioning and challenging assumptions

• When under pressure, even the most experienced professionals can make assumptions that may not hold water. As a CISO, you should cultivate a habit of critically assessing the situation by asking probing questions like, "What do we believe to be true, and how do we know it's true?" This kind of scrutiny can often lead to more accurate situational awareness, thereby facilitating better decision-making.

Handling the “Hippo”

• During crisis situations, you'll often find yourself in meetings with the 'Hippo' (Highest Paid Person in the Room), who might demand quick and sometimes simplistic solutions to complex problems. It's your role to manage these expectations. You should be prepared to articulate the complexities and risks involved, guiding the discussion toward more realistic and effective solutions, all while being diplomatic to maintain the chain of command.

The importance of comprehensive documentation

• In the chaos of a crisis, details can get overlooked. It's essential to document every action taken, both by and towards the IT Security function. This serves two purposes: accountability and post-incident review. Well-kept records can be a goldmine of information when evaluating the effectiveness of your crisis management strategy.

Team wellbeing

• While it's easy to focus solely on resolving the crisis at hand, it’s critical to remember the human element. IT Security teams can suffer from fatigue and stress, affecting their performance and decision-making abilities. Know when to rotate team members in high-pressure roles and when to give your team a well-deserved break.

Present focus over root-cause analysis

• There's a time and place for dissecting the events that led to the crisis, but during the incident is usually not it. Steer the conversation away from blame and towards immediate actions that can mitigate and resolve the issue. Don't allow the team to get bogged down in time-consuming investigations of how and why it happened; there will be plenty of time for that during the post-incident review.

Avoiding the blame game

• Crises are collective challenges requiring collective solutions. Indulging in blame games or finger-pointing not only wastes valuable time but also impacts team morale. Keep the focus squarely on what can be done in the here and now to resolve the situation.

Post-incident review: Learning from the crisis

Establishing the scope of the Post-Incident Review (PIR)

• Once the crisis is over and immediate threats are mitigated, it’s important to engage in a comprehensive PIR. The scope of this review should be agreed upon with the Crisis Committee Chair and should extend beyond merely identifying the technical root causes. The aim is to examine the effectiveness of the response mechanisms, the quality of decision-making, and the impact on stakeholders, among other aspects.

Creating an atmosphere for open dialogue

• For a PIR to be effective, it’s critical to foster an atmosphere of transparency and openness. People need to feel secure enough to share mistakes and oversights without fear of retribution. This 'psychological safety' is a key element in ensuring that you get the most out of your review process.

Evaluation of response effectiveness

• Were the mitigation strategies effective? Did the team function as it should have? Did the external agencies contribute effectively? These are some questions that should be part of the PIR. Evaluating the effectiveness of the response gives you a chance not just to identify what went wrong, but also to highlight what went right, providing a balanced view that can be extremely beneficial for team morale and future planning.

The dangers of 'Hero Syndrome'

• It can be tempting to focus on the successful aspects of your crisis response and to celebrate the 'heroes' who made it possible. While acknowledging outstanding efforts is important, relying solely on heroics is not a sustainable crisis management strategy. Be wary of falling into the 'hero syndrome' trap, and instead focus on systemic improvements that can help prevent or mitigate future crises.

Root cause analysis and lessons learned

• Identify and analyse the root causes of the incident and the effectiveness of the measures taken to mitigate its impact. This should culminate in a ‘lessons learned’ document that outlines both successes and failures in an objective manner. Use this document to create actionable items.

Remediation programme and accountability

• Any actionable items that arise from the ;essons learned should be entered into a remediation programme. This involves assigning tasks to specific people, complete with timelines for completion. The aim is to ensure that improvements are not just identified but also implemented.
• For your next scenario-based exercise, consider using the recently experienced crisis as a model. This 'live' test allows your team to understand the practical implications of the improvements you’ve implemented and ensures that your crisis management plans are as up-to-date as possible.

Closing thoughts: Navigating the path forward

• Crisis management is not a one-off effort; it's an ongoing process that evolves with the changing cybersecurity landscape. This evolution is not just about adapting to new threats but also about learning from past experiences. The effectiveness of a CISO in managing crises depends on a continuous cycle of preparation, action, review, and improvement.

Emphasis on dynamic planning

• One of the key takeaways should be the importance of maintaining dynamic and adaptable crisis management plans. The cyber world is ever-changing, and your strategies should be capable of evolving with it. The periodic review and update of plans, scenario exercises, and external agency partnerships are all aspects that require your ongoing attention.

Holistic approach to crisis management

• An effective crisis management strategy is not just about IT protocols and immediate actions; it also involves soft skills such as leadership, critical thinking, and diplomacy. These skills are not secondary but integral to successfully navigating the complexities of a crisis.

Team-centric view of success

• Finally, a crisis is never a solo endeavour. It's a challenge that tests not just the CISO but the entire IT Security team, and often, the entire organisation. Emphasising team cohesion, inter-departmental coordination, and collective learning can go a long way in not just resolving crises effectively but also in fostering a more resilient and robust organisation.

The quest for continuous improvement

Even if you've successfully navigated through a crisis, the work is far from over. Use each experience as a stepping stone towards refining your strategies, tightening your protocols, and strengthening your team. The goal is not just to survive each crisis but to emerge from it more capable and better prepared for the challenges that lie ahead.

In conclusion, effective crisis management is a blend of preparation, execution, and post-crisis evaluation. It’s a continuous journey that demands a proactive mindset, robust planning, agile execution, and most importantly, a commitment to learning and improvement.

If you would like to speak to one of our experts about how Deloitte can help you prepare, manage, and recover from a crisis, feel free to contact us today.

If you would like to join the Deloitte CISO Programme, please contact CISOProgrammeUK@Deloitte.co.uk