CISO’s guide to an effective post-incident board report
A successful cyberattack is undoubtedly one of the most disruptive events an organization can experience. Whether it’s phishing, DDoS, ransomware or SQL injection, the incident often results in major service failures and potentially massive revenue loss, as well as damage to brand reputation and customer trust.
As CISO, you are charged not just with overseeing the response and mitigation processes post-breach but also with assembling all relevant information in a post-incident report to the board. Indeed, this is the most critical and immediate task a CISO must perform after investigating and containing a security incident.
To discover the dos and don’ts of how to handle the aftermath of a cyberattack, CISOs can look to the recent Marriott (do) and British Airways (don’t) post-breach responses. What these two companies did or didn’t do can inspire how CISOs approach the post-incident board report – including what information to relay, how to present it and, most important, what lessons were learned.
Step 1 – Presenting the incident: describing the event’s breakdown
- Provide a step-by-step breakdown of what happened, why the incident occurred, which weaknesses enabled it, and why these weaknesses exist.
- Consider the weaknesses in the company’s response and the initial failure that allowed the incident.
- Comment on the security weaknesses that were exploited during the incident.
- Address relevant security weaknesses that will pique the board’s interest as an opportunity to rectify these weaknesses.
- Focus on remediation, rather than attributing blame.
Step 2 – Presenting the executive summary
Your goal is to give board members the information that ensures their understanding of the incident so the discussion that follows will focus on discovering vulnerabilities, mapping key assets, determining how they were impacted, and resolving how to protect the organization in the future. Use high-level information to set the context for your discussion and then discuss how the information will be presented to the public.
Begin by naming the business units and processes involved and the information assets compromised, such as:
- Business unit and processes involved – digital banking system.
- Information assets compromised – PII database.
Explain both the current business impact and the future anticipated consequences:
- Current impact – 40 percent of our users have been impacted.
- Anticipated – customer defection, lost market share.
Describe what factors allowed the incident to happen – the exploited elements and the root cause for their vulnerabilities:
- Exploited elements – customer database.
- Reason for vulnerability – process flaws, technical deficiencies.
Demonstrate which immediate actions you took and responses you plan to make to mitigate damage and ensure recovery. Example:
- Immediate actions – recommend to customers to change credentials, upgrade software versions.
- Planned actions – change of controls, upgrade defense systems, invest in IT and appropriate threat detection and response solutions.
Step 3 – Learning from the breach
Cyberattacks are now whens, not ifs. When it does happen, the entire organization – from boardroom to backroom – has to treat this as a learning experience. Cybercriminals and hackers profit from data breaches; they will continue to target organizations. As long as fallible humans use digital systems, they will make mistakes and be victims of malware attacks.
It’s important to review how your organization was breached so that subsequent employee training and vigilance can incorporate those teaching moments. There’s nothing like learning from experience – the first time something happens.