{"id":1968,"date":"2025-02-18T08:00:00","date_gmt":"2025-02-18T08:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=1968"},"modified":"2025-02-18T08:00:00","modified_gmt":"2025-02-18T08:00:00","slug":"how-cisos-can-rebuild-trust-after-a-security-incident","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=1968","title":{"rendered":"How CISOs can rebuild trust after a security incident"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

When incident response plans cover the aftermath, they typically focus solely on technical matters, such as root cause analysis or upgrading systems. The problem with this approach is that breaches are not only technical in nature \u2014 they can also undermine trust among various internal and external stakeholders of the business.<\/p>\n

This loss of trust can be hard to measure, but it manifests concretely. For example, publicly traded companies may lose the enthusiasm of institutional and retail investors. Once popular organizations for tech talent may see their pipeline of applicants dry up. The morale of your cybersecurity team may wane, leading to retention issues and resignations.<\/p>\n

In short, CISOs must prioritize rebuilding trust with stakeholders as an equal priority to any technical exercise. After all, no improvement or upgrade matters if stakeholders do not buy into your organization\u2019s overall cybersecurity plan or execution.<\/p>\n

Transparency across the incident lifecycle<\/h2>\n

Christopher Robinson, chief security architect of The Linux Foundation, says transparency is key to rebuilding stakeholder trust. Unfortunately, companies often take the opposite approach.<\/p>\n

\u201cA reporter will get word that something happened, and they\u2019ll approach a company, asking, \u2018We hear you\u2019re in the middle of a cyber event,\u2019 and [the company representatives will] clam up, and they\u2019ll be very quiet, or they\u2019ll put you [in touch] with the legal team, and they\u2019ll make threats,\u201d he says.<\/p>\n

Larry Lidz, vice president of CX Security at Cisco, believes rebuilding stakeholder trust begins during the incident, and it involves two general groups a CISO will need to communicate with: internal stakeholders, such as the C-suite and employees; and external stakeholders, like customers and regulators. \u201cThe commonality between the two is [the need for] transparency,\u201d he says.<\/p>\n

To this end, Lidz advises CISOs to state what is being done and when stakeholders can expect to hear back with further information.<\/p>\n

\u201cThat\u2019s a massive improvement in increasing credibility because they know that you\u2019re on it,\u201d Lidz says. \u201cAnd when you say, \u2018I\u2019m going to give you an update tomorrow at noon,\u2019 they know you\u2019re going to get back to them,\u201d even if that update is that forensics is still ongoing.<\/p>\n

Grant Bourzikas, CISO of cloud solutions provider Cloudflare, agrees that CISOs should be \u201coverly communicative\u201d throughout the incident lifecycle.<\/p>\n

\u201cProactive and thoughtful communication through times of crisis will only work to further build trust, versus tear it down. You can have the best technical response in the world, but if you don\u2019t communicate it, your brand and business will fall flat,\u201d Bourzikas says.<\/p>\n

Maintaining sensitivity in accountability<\/h2>\n

Cisco\u2019s Lidz emphasizes that transparency does not end at incident resolution.<\/p>\n

\u201cBeing transparent, internally in particular, by making sure stakeholders understand you and your team have learned from the incident, that there are things you would do better not just in terms of protections, but how you respond and react to incidents\u201d is essential, he says.<\/p>\n

Pablo Riboldi, CISO of nearshore talent provider BairesDev, recommends using third-party auditors to strengthen the credibility of these assessments.<\/p>\n

\u201cCISOs can bring independent auditors to review the corrective actions implemented and openly share their findings with everyone involved. Showing how we\u2019re taking responsibility and actively looking for ways to improve goes a long way in rebuilding trust and confidence,\u201d he says.<\/p>\n

But when conducting post-mortem or root cause analyses, it also important to be sensitive to all parties involved, Linux Foundation\u2019s Robinson says.<\/p>\n

\u201cIt\u2019s a very delicate balance: There\u2019s an art to telling the truth, and not necessarily being punitive. These are all people that work very hard, giving their all \u2014 the operations team, the developers \u2014 and you don\u2019t want to crush their spirits,\u201d he says.<\/p>\n

Robinson points out that unless a cybersecurity incident originated in malice, most incidents start from business-as-usual problems, such as human error, a security vulnerability in third-party software, or an overlooked backdoor. With this in mind, Robinson says that CISOs can frame the post-mortem positively.<\/p>\n

\u201cIf somebody messed up, hold people accountable, but you can do that in positive ways, saying, \u2018We realized there was a gap in this process, but we\u2019re going to correct that process so it doesn\u2019t happen again,\u2019\u201d he says, adding that soliciting feedback from the group can further demonstrate empathy and rebuild trust.<\/p>\n

Robinson says cybersecurity can be a thankless job, and reminding security professionals that leadership understands their struggles goes a long way toward lifting their spirits.<\/p>\n

\u201cLeadership showing that they see and value these people in the trenches, the operators \u2014\u00a0just the recognition that you exist, and your work is valuable \u2014 goes much further than three pizzas or Starbucks gift cards,\u201d he says, adding that CISOs can often pay too much attention to the board and fellow leadership rather than their on-the-ground security staff members.<\/p>\n

Improving morale in the trenches<\/h2>\n

Sakshi Grover, senior research manager for IDC Asia, believes employees from the incident response team are often the most overlooked, even though they may bear the brunt of the stress.<\/p>\n

\u201cThey would be feeling so demoralized after the attack and probably would have been blaming themselves for the breach,\u201d she says.<\/p>\n

Grover recommends promoting a growth mindset to mitigate these feelings after an attack by shifting the focus to the team\u2019s problem-solving capability. The business can also offer mental health sessions or even counseling for their well-being, she adds.<\/p>\n

Attending to these employees is imperative because they are the primary evangelists for the cybersecurity department. \u201cWord of mouth travels. They are going to then pursue potential employees to come and be a part of this organization,\u201d Grover says.<\/p>\n

Esteban Gutierrez, CISO and VP of information security at <\/a>New Relic, says that during a previous incident, the company ensured its cybersecurity team was attended to so they didn\u2019t experience burnout. Executive assistants helped them with meal delivery and made arrangements so their household chores could be attended to.<\/p>\n

\u201cWe made sure that they had a way to get those things taken care of while they were helping get the business back into the state that it should be in,\u201d Gutierrez says, adding that this approach should continue after an incident, including time off and deeper examinations of structure and processes to help improve operations and the experience of responding to an incident.<\/p>\n

\u201cAre we set up the right way to handle an incident like this going forward? Do we need to build a more global team? Do we need more resources in one geo versus another in order to handle continuity of operations?\u201d Gutierrez says.<\/p>\n

Post-incident, cybersecurity employees often return to their bubble, such as monitoring alerts or managing firewalls and cloud security posture. Gutierrez says it\u2019s important to connect the dots between each person\u2019s work and their overall contribution to the organization as a way of ensuring improved morale.<\/p>\n

\u201cI make it a key priority for my teams and for my leaders to not just understand what they\u2019re needing to do from a security perspective, but to understand the business and how we are supporting the business,\u201d Gutierrez says, adding that strong relationships with business owners provides even more context to this impact.<\/p>\n

Preventing an exodus of customers<\/h2>\n

When rebuilding trust after a security incident, CISOs should give customers special consideration, as security breaches are often a tipping point, pushing customers to leave an incumbent in favor of a competitor. Equifax in 2017<\/a>, Capital One in 2019<\/a>, and T-Mobile in 2021<\/a> all experienced a significant exodus of customers in the aftermath of breaches. No matter the industry, people care about how their data is handled and are willing to vote with their business.<\/p>\n

Post-incident, Cloudflare\u2019s Bourzikas believes companies should focus on improving relations with and services for current customers rather than seeking out replacement customers in their addressable market when customers defect.<\/p>\n

\u201cIt is easier to build trust with your engaged customers and shareholders than it is to repair reputational damage with future potential customers,\u201d he says, adding that this task is incredibly challenging in today\u2019s media landscape. \u201cMany times, the headline is all that we read,\u201d Bourzikas says.<\/p>\n

That\u2019s why it\u2019s very important for CISOs and their teams to beat media outlets to the punch.<\/p>\n

\u201cBeing transparent publicly \u2014 e.g., releasing a company blog or report \u2014 will allow you to share factual and correct information that is not overblown with the community. Don\u2019t shy away from the incident; share your story, and showcase how you recovered, hardened your security, and prepared for the future,\u201d Bourzikas says.<\/p>\n

New Relic\u2019s Gutierrez also recommends including key account management of high-revenue customers as part of any incident response plan. Businesses should take inventory of their top 200 customers or more, depending on the nature of their business. These clients will expect to be contacted about an incident, and your organization needs to know the right point of contact for security communications at these companies.<\/p>\n

\u201cOftentimes, the contact at a customer is not always the same person that you want to talk to when you have a security issue that you need to discuss with them,\u201d Guiterrez says. \u201cWe\u2019ve made changes internally to make sure that we have a place to track that kind of information whenever we establish a relationship with a customer.\u201d<\/p>\n

Regulatory nuances can also shape how this communication is handled, he says. \u201cHow we communicate and what we communicate to our EU customers during an incident may differ a little bit from what we do in the US and APAC as well,\u201d Esteban says.<\/p>\n

In the event of potential downstream risks to customers, these channels of communication are key. For example, an attack on a software provider may lead to security vulnerabilities at their enterprise clients.<\/p>\n

\u201cIt\u2019s really just making sure that you\u2019re answering their questions before they ask them and giving them the information they need in order to assess and manage their own risk, because at the end of the day that\u2019s a lot of what customers are asking for,\u201d Guiterrez says. \u201cIt\u2019s like, \u2018Help me understand how this impacted me and what I need to do in order to mitigate that risk.\u2019\u201d<\/p>\n

Two-way street to building trust<\/h2>\n

James Ngui, sales engineering director at Trend Micro, notes that rebuilding trust after a security incident requires openness to feedback.<\/p>\n

\u201cA successful recovery process also actively incorporates stakeholder input by including the key stakeholder in post-incident analysis, gathering feedback on response effectiveness, and also demonstrating how stakeholders\u2019 input will shape the future security strategies of the organization,\u201d he says.<\/p>\n

This collaborative approach aligns with the broader perspective on cybersecurity, which values trust as much as technology.<\/p>\n

\u201cThe key to success lies in recognizing that cybersecurity is not just a technical challenge, but a business-wide responsibility that requires effective communication, clear processes, and engaged leadership at all levels,\u201d Ngui says.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

When incident response plans cover the aftermath, they typically focus solely on technical matters, such as root cause analysis or upgrading systems. The problem with this approach is that breaches are not only technical in nature \u2014 they can also undermine trust among various internal and external stakeholders of the business. This loss of trust […]<\/p>\n","protected":false},"author":0,"featured_media":1969,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1968","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1968"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1968"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1968\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/1969"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1968"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1968"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1968"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}