Crisis Leadership: The Missing Link in Cyberattack Defense

You are driving in your car with your 10-year-old son in the passenger’s seat. A ball bounces in front of your car and you hit the brakes hard while simultaneously throwing your arm in front of the child, acting almost automatically. That’s called muscle memory, and it is a big part of what organizations need when responding to cyberattacks.

Cyberattack Defense Is Muscle Memory

When asked how to launch an effective cyberattack defense effort, most people give technology-related answers: Beef up the firewalls, fortify the network, and deploy better intrusion detection and security analytics solutions.

While technology is certainly important, the responses coming from your organization during and following the attack — the human side of the equation — are even more vital. Yet despite a wealth of good advice, I estimate that in 8 of the last 10 large-scale breaches, the response from the organization under attack did as much or more damage than the attack itself. Most of that damage was reputational.

Why is that? Very few C-level executives have been trained in crisis leadership. They seldom have to make urgent decisions in near-real time. The usual practice is to build a team around executives to provide input. They carefully study these inputs and weigh them against other information to develop a set of options. Eventually, they fashion a response. This could happen days or weeks later — or, in some cases, not at all.

The Worst Response Is No Response

That explains why the response to a major breach is so often little or no response at all. Often the blame is directed at some vague state-sponsored source when, in reality, the company has no legitimate suspects because attribution is very difficult. That’s when problems arise beyond the actual damage from the breach. Customers worry about their personal information. Suppliers and partners get antsy. Tort lawyers start to circle overhead. Confidence in the organization drops while suspicion mounts.

Related to this Article

Most all of this post-attack damage is avoidable and unnecessary. First, all organizations must presume that they will fall victim to a major breach at some point. There is no safe harbor, as should be evident to anyone listening to the news these days.

Second, the management team needs to undergo in-depth training in crisis management when an attack does happen. This team needs to prepare and rehearse responses for customers, suppliers, regulators, the media and the board. Of the 50 states in the U.S., for example, 47 of them have their own unique breach disclosure laws. You must develop a plan in advance that comply with these laws specific to any states in which you do business. These responses must be ingrained as executive muscle memory.

Filling the Gaps

To help IT professionals thoroughly prepare to deal with cyberattacks, IBM opened its X-Force Command Center (XFCC), a simulator designed to train executives in the crisis leadership skills they’ll need to respond to a breach. In the all-day course at the XFCC, teams will first experience a highly realistic, simulated cyberattack. They’ll be exposed to the variety of ways the technical staff tries to detect and stop the attack and then swing into recovery mode.

Participants will spend the second half of the day planning the proper response steps and rehearsing them. The central idea is to infuse executives with the confidence and experience of doing something that their MBA training and business experience likely failed to address. Leadership during a cyberattack defense effort requires a full-throttle response in hours, not days or weeks.

Discover How IBM X-Force Command Centers Are Changing Security

A Predetermined, Definitive Response

Think back to the Tylenol scandal of 1982, when criminals tampered with bottles and laced the pain-relieving pills with poison that killed several people. Tylenol’s maker, Johnson & Johnson, immediately removed the product from all store shelves, even though there was no indication of a manufacturing problem. The parent company trusted its brand to survive such a hit, and indeed it did. The company was widely applauded for its leadership in a time of crisis and its near-instant response.

Breaches will continue to happen, possibly even at an accelerated pace, given the growing interconnectivity all around us and the expanding threat surface that comes with it. The worst thing a company can do in response is what so many end up doing — nothing. Instead, be prepared to meet the crisis with predetermined, definitive responses.

Learn More

Interested in learning more about how IBM’s X-Force Command Centers will help clients stay ahead of the most advanced threats?

Share this Article:
Caleb Barlow

Vice President - IBM Security

Caleb Barlow is a Vice President at IBM Security responsible for the positioning and strategy of the IBM Security portfolio of products and services. Caleb has a broad background having led teams in product development, product management, marketing and cloud service delivery. He spends about 25% of his time on M&A activities and was IBM’s Integration Executive for the acquisition of Net Integration Technologies, he led IBM’s acquisition of Trusteer, and was the Integration Executive behind the recent acquisition of Fiberlink MaaS360.A strong advocate of social and new media, he regularly uses these technologies to engage customers, enable sales and promote the products he manages with proven results. Mr. Barlow is a sought after speaker on the subject of security, and has appeared on Bloomberg Television, CNBC Squawk Box, Yahoo News, Al Jazeera America and the BBC World Service. Caleb's views have appeared in the Wall Street Journal, USA Today, NBC News, eWeek, Seventeen and dozens of other publications. In 2015 he presented to the United Nations at the invitation of the President of the UN General Assembly. Caleb hosts a regular Internet radio show focused on IT security that attracts tens of thousands of listeners: http://ibm.co/13hDreQ.External to IBM, Caleb has been in leadership roles at two successful startups – Syncra Systems, which is now part of Oracle, and Ascendant Technology, which was acquired by Avent.