When disaster strikes, it’s not just what you say, but how you say it.
That was the key message from Joe Sullivan, former CSO at Uber, Cloudflare, and Facebook, and Renee Guttmann, former CISO at Royal Caribbean Cruises, Campbell Soup Company, and the Coca-Cola Company, who detailed what a proactive incident response strategy should look like during a virtual webinar hosted on March 18 by intelligent incident response platform BreachRx.
While organizations have traditionally spent their efforts and resources on incident prevention, Sullivan argued that it’s equally important to spend time thinking about how they would combat a crisis. The ex-CSO was previously convicted for helping to cover up a 2016 data breach and was later sentenced to three years’ probation in 2023.
“By default, we spend all of our money, time, and hiring resources on prevention,” Sullivan, now the founder and CEO of a boutique technology risk-management consulting firm, said. “But at the end of the day, how we are judged as an organization is often how we handle [a] crisis.”
Teamwork makes the dream work. Security incidents are no longer a rarity for today’s organizations. When an incident arises, Sullivan said security leaders should “step back” and make sure teams in a company are coming together as needed to properly respond to the crisis. That includes everything from making decisions on when it is best to loop in the communications and legal team, to making sure employees are fed and well-rested.
“I think of our role as like a conductor of an orchestra,” Sullivan said. “If you’ve planned it out and staffed it right and trained people right, then you really shouldn’t be making the music.”
Guttmann, who is now a founder and principal at her own cybersecurity consulting firm, added that security leaders shouldn’t be afraid to delegate different tasks to people within their organization.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
“What I hear when I talk to [CISOs] is that they feel like all of this stuff is their job. It’s their responsibility. This whole weight is theirs,” Guttmann said. “And I think parceling out roles and responsibilities and giving people assignments is not necessarily a sign of weakness.”
Express yourself. When things go south, Sullivan said communication is crucial.
“If you look at how companies and security leaders and teams are judged, I believe that they’re actually judged more on how they communicated than what they actually did,” Sullivan said.
The security leader said organizations should have a different communication plan tailored to each party involved in an incident.
“Your employees want to hear about it before the public hears about it, but regulators want to hear about it before the public hears about it,” he said.
Guttmann added that incidents are not the time to play the blame game.
“That’s sort of worthless in the middle of an event to start doing things like that,” she said.
Strike a (de)pose. During the discussion, the two industry veterans also got candid about what it is like to be called on to depose in a legal case, with Guttmann saying that the occurrence happens to CISOs more than one may think. Sullivan—who shared that he has been deposed multiple times and is no stranger to “uncomfortable legal processes”—advised CISOs to document their decision process during a security incident in real time to better position themselves in the event that they need to go under oath down the line.
“I think, too often, lawyers would prefer you don’t write it down, and I think that’s to protect the company, but I’m speaking to protect the security leader and the security team,” Sullivan said. “The more you document the process…the better.”