HomeTechnology and Security, CIO

Crisis management beyond the boom

Effective crisis management requires preparation that focuses not only on detection and prevention of breaches, but also response and remediation.

High-profile data breaches that affect millions of people are hitting the headlines with increasing regularity, and CEOs of large corporations are being dragged in front of government committees to be grilled by lawmakers. Harsh questions like “How could your security be so lax?” and “Why didn’t you know what happened and why did you respond so slowly?” can be a nightmare for a CEO. Most companies focus IT resources on detection and prevention and don’t pay enough attention to response and remediation.

Understanding the timeline of a breach

Recent high-profile security breaches highlight a lack of preparedness among many organizations. Yet a startling number of organizations are completely ill-equipped to handle a major security incident. This failure is particularly alarming when you consider the fact that breach notification laws and regulations are becoming stricter around the world, with decreasing times allowed for reporting to government parties and the public.

During the lifecycle of a security breach, several critical events happen. The first event is the point when a breach occurs. The second is when data has been taken or destroyed. The third is when the breach is discovered (either by external or internal parties). And the fourth is when the breach is made public. When it comes to incident response, each of these points in the timeline are colloquially called “boom” events. However, we’re assuming here that the boom event is the point when the breach hits the media and the company loses control of the story.

The left of boom

Although the news media often focuses on the event itself, breaches often span many months. Before the breach is disclosed or discovered is termed the “left of boom.” During this time, cyber thieves are taking credentials, gaining deeper access, stealing data to be monetized, targeting key intellectual property, or preparing a destructive attack. Often the bad guys have infiltrated long before anyone realizes they’ve even accessed the systems.

Making better decisions during a boom event

During a boom event, an organization has the opportunity to respond well, fumble, or completely lose control of its response. When a security breach or cyberattack happens, executives need to drive effective response. They must quickly instill confidence to their customers and other stakeholders that they’re doing everything possible to solve the problem.

For many people in the C-suite, this type of fast, intuitive response doesn’t come naturally. Although they might know what to do technically to manage a breach, they often aren’t prepared to cope with the human side of the equation. In a crisis situation, the C-suite is up against a human adversary, which typically isn’t something that they’re used to handling. Phones ringing with angry customer complaints or questions from reporters can catch them off-guard, often causing them to fall apart or do nothing. During a crisis, taking no action can be worse than taking some action, even if it’s not the right action in the long run.

Acting to the right of boom

The period to the right of boom involves not only mitigating the damage from an attack, but also managing the court of public opinion after customers and the media find out what happened. What happens to the right of boom can dictate the future of a company. During the crisis, executives need to display seasoned leadership, so it doesn’t look like the organization is trying to hide something. The ability to make decisions quickly is critical during and after a cyberattack or security breach. To handle an incident quickly, organizations need more than procedures. They also need to practice their responses so they become automatic.

Read the full report for more recommendations on managing security crises, including how to improve responses and the importance of simulations.

Bookmark this page  

Meet the authors

Christopher Crummey

Connect with author:

, Executive Director, X-Force Command Cyber Range

Wendi Whitmore, Vice President, X-Force Threat Intelligence, IBM Security

Download report translations