Hacked? How to Break the Bad News to the C-Suite

Sure, your organization needs defensive strategies that go beyond basic compliance and are both durable and flexible. It's a generally accepted fact that the human element is a critical facet of cybersecurity in terms of maintaining an educated workforce. But what happens when the inevitable breach happens, and you're responsible for sharing the bad news?

Before you run for the hills or pack your belongings assuming your role is headed for the chopping block, take heed of our advice.

We reached out to two of Global Knowledge thought leaders for their insights into how to speak to the C-suite: Dave Buster, Global Senior Portfolio Director for Cybersecurity, and Dan Stober, Global Portfolio Director for IT Management and Best Practices.

From a cybersecurity perspective, Buster offered the following thoughts:

Like many professions, cybersecurity has its own language and vocabulary. It's impenetrable to outsiders, and I suspect that is sometimes by design. However, the translation problem becomes critical when dealing with urgent issues such as a breach of information security. This is where a combination of technical expertise and human psychology come into play. So, how do we manage to communicate effectively? More importantly, how do we communicate just the right level of urgency and information to C-suite executives who are often ill-equipped to understand and make the necessary decisions?

Here are some basic pointers for how to communicate urgent information security information to executives.

Be fearless.

Don't assume they will shoot the messenger. Executives don't rise to that position without understanding that not everything is under control despite how much they wish it were. Human error, zero-day hacks, and random chance combine to create "perfect storms" in information security from time to time. The best policy is to notify the chain of command as soon as credible information exists of a hack. That doesn't mean notifying them of every case of "unusual activity in the logs." Instead, they should be notified as soon as triage and initial analysis indicates that information has been compromised.

State facts, not opinions.

It's very important to be extremely precise in communications in the early phases of a cybersecurity event. Give data, numbers, specific server names, etc. where possible. If you have done appropriate risk planning before the event, you will be able to include dollar values of compromised assets. Most importantly, if asked to elaborate, make the difference extremely clear between absolute facts on the one hand and hunches and guesses on the other hand.

Communicate business risk.

This is vital when communicating with executives. The fact that an Active Directory server was compromised is critical to you as a cybersecurity professional, but that needs to be put into context for executives. They need to understand what systems and corresponding information might have been exposed which would be damaging to the business. This is really where the "soft side" of cybersecurity comes to play. You have to understand the psychology and personalities of the executives to present the information in a way they can absorb it. Soft skills are key here!

Have a plan.

Never present bad news without also having one or two response and remediation plans already in motion to be able to report. If you need them to authorize a third-party contractor to help with remediation, hopefully you have already selected one. If so, having them on retainer means you are only asking for permission to engage them. You should also be able to make recommendations for public disclosure if necessary.

Stay connected.

Not all information will be available at the early stages of an event. Ask the executives how they would like to be kept up to date on additional information.

Don't say, "I told you so."

Now is not the time to remind them of the budget you didn't get and the systems you didn't purchase. Save that discussion for the next budget cycle when you can bring up this event as validation. Remember that events are always in better perspective after they are over rather than while they are occurring.

Don't forget to follow-up.

After the smoke clears and the systems have been restored, it's tempting to go back to business as usual. Instead, make an appointment with the executive team for a "post-mortem/ lessons learned" session to review the event in perspective. Now is not the time for sugarcoating or hiding human error in this point. Instead, recommend training to strengthen the cybersecurity and IT teams and help prevent recurrence.

Dan Stober offered some overlapping wisdom. In the vein of IT management and best practices, he gave the following reflections and advice.

Plan your risk response.

In this sort of situation, it is not only important to assess risks but also to have a Risk Response Plan that is understood, achievable, and FUNDED. If a risk manifests itself, the organization must have the analytical skills, budget, and project management skills to implement the risk response plan. Otherwise, the plan is useless. Chances are the response will not simply include flipping a switch but will instead be a series of controlled actions meant to stabilize or recover from the incident. As such, having staff that are trained to define response requirements and document response processes is critical. Equally important is having personnel who can then manage the execution of the response.

Communicate technical information effectively.

Successfully communicating technical information carries a unique set of challenges since these technical concepts can often have dramatic real-world effects. You have to convey complex and highly specialized concepts to audiences that may have only a partial understanding of what you're talking about or may not understand at all. To operate effectively in this environment, you need to optimize your writing and speaking abilities.

Take charge.

In a situation where a breach has occurred, it takes strong, proactive leaders to right the ship. Part of that leadership will involve having difficult conversations with employees, executives, and potentially investors. Understanding the response plan and the origin of the incident will allow you to communicate information in a timely and transparent manner, which demonstrates that the situation is under control. There are many examples of companies that have experienced cybersecurity incidents actively concealing the breach only to later be punished by customers and investors. Develop the skills to lead your team through the situation and communicate the correct information to those who need to know.

Both Buster and Stober recognized the importance of maintaining a positive attitude in light of stark realities-above all, don't be de-moralized. Some of the strongest institutions in the world have been hacked in the past and will be in the future. You're in good company. Just take lessons to heart and make sure you don't:

  1. Sit on it for months, especially in the case of multiple breaches
  2. Have unqualified people running security
  3. Push insiders sell their stock before the announcement
  4. Post an anemic response with a web page that can't scale

If you can avoid these pitfalls, you'll be able to ride out the storm. You're certainly not the first company to suffer a breach nor will you be the last.

Recommended Courses

Cybersecurity

  • CISSP-ISSMP Certification Prep Course
  • CISM Prep Course
  • CRISC Prep Course

IT Management and Best Practices

  • Active Leadership for IT Professionals
  • Communicating for Clarity