Three Battle-Tested Tips for Surviving a Cyber-Attack

Experiencing a cyber-attack as a chief information security officer (CISO) or a cybersecurity leader in your organization can be daunting.

Russell Ayres, SVP of cyber operations and deputy CISO at Equifax, knows it better than anyone. He was appointed interim CSO in 2017 after his organization suffered a significant data breach that exposed the private records of 147.9 million Americans, 15.2 million British citizens and about 19,000 Canadian citizens.

Ayres, speaking at RSA Conference 2024 alongside John Carlin, co-chair of law firm Paul Weiss’s cybersecurity and data protection practice, Tim Crothers, director of Google Cloud’s office of the CISO for the retail sector, and Patricia Titus, CISO at Booking Holdings, shared some recommendations to survive a cyber-attack or data breach.

Infosecurity has selected the top three tips that can be implemented at no cost.

Three CISO Tips for Managing a Cyber Incident

Conduct Realistic Wargames and Tabletop Exercises

CISOs and cybersecurity executives should prepare for a breach by simulation and testing such scenarios.  

Carlin said: “As a security leader, you need to assume a catastrophe, and the best way to do this is by ‘wargaming’ it. Conduct regular tabletop exercises, in a language the CEO and the CFO will understand. The number one mistake that leads to a CISO losing their job is failing to communicate across the organization pre-incident.”

The benefit of tabletop exercises is “to build muscle memory across the organization,” Crothers added. “Although you may get the scenarios wrong, you could still have prepared for the right reactions from your colleagues and team.”

Crothers insisted that these war games should be as realistic as possible and involve people of all levels within the company.

Security leaders should run them in a natural working environment with real-life constraints.

Titus explained: “You should not require more than two to three hours from the executives and the board members, because they won’t have more time in real life. Also, you don’t have to perform a full scenario in one go, as a cyber-incident will unfold in several stages across several days or weeks.”

Ayres also insisted on trying different scenarios in which key security or business leaders, including the CISO and board members, are not present to deal with the incident or make decisions immediately.

“In my case at Equifax, some board members had left because of the breach. In this case, you need a plan ready to decide who will make decisions in the interim period. Think of the people you think you will rely on if the primary decision-makers are gone,” Ayres said.

Involve People Across the Company

Google’s Crothers said that the company’s general counsel must be the first person a security leader calls when they have detected a cyber incident.

“Everyone, from the media to your partners and your customers or clients, will try to make a judgement about how much you are in control of the situation. That’s why it is key to coordinate with the legal team as soon as possible, however significant the incident is. In case it eventually is less impactful than you initially thought, you have just wasted a phone call, which is acceptable,” Crothers explained.

He also recommended involving people from all levels of responsibility in the incident response plan and the tabletop exercises, from the CEO to the lower-tier security team members.

“CEOs are used to being in charge. However, in times of crisis, they may not have the required skills to make some critical decisions,” he said.

Ayres concurred: “During a cyber incident, the ones you think you will rely on are not necessarily the ones you will actually rely on. Maybe you will realize that a particular SOC analyst, for instance, is the person everyone seems to turn to when things go wrong. Also, don’t forget to take care of people who are going to take care of you.”

Anticipate Your Crisis Communication

The security leaders agreed that the way the organization communicates internally and publicly during a cyber incident is as important as the decisions it takes.

“Sometimes, a public statement saying ‘We don’t know anything,’ can take an awful long time to prepare,” Crothers said.

Like tabletop exercises, Crothers recommended asking the communication team to prepare statements following different simulated cyber incident scenarios in collaboration with the legal team.

“Because crisis communication is different from day-to-day communication, you may even need to hire external people other than the ones usually responsible for your organization’s communication,” Carlin concluded.