{"id":2554,"date":"2025-04-01T06:00:00","date_gmt":"2025-04-01T06:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=2554"},"modified":"2025-04-01T06:00:00","modified_gmt":"2025-04-01T06:00:00","slug":"6-hard-earned-tips-for-leading-through-a-cyberattack-from-csos-whove-been-there","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=2554","title":{"rendered":"6 hard-earned tips for leading through a cyberattack \u2014 from CSOs who\u2019ve been there"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

An incident response plan is central to ensuring your organization is prepared for a cyberattack. But such documents, which detail steps that should be taken in the wake of various cyber scenarios, generally treat security response as a technical process.<\/p>\n

As Christopher Robinson, chief security architect of The Linux Foundation, puts it: \u201cThese plans are built by engineers and technicians, so they focus on, \u2018I need to plug or unplug this\u2019 or \u2018I need to apply these fixes or make these changes.\u2019\u201d<\/p>\n

Other critical parts of dealing with a cyber incident, such as marshaling the cybersecurity team, collaborating with organizational stakeholders, or exercising other key leadership skills, can often be neglected until the heat of the moment.<\/p>\n

But how a CISO leads through a cyber crisis can be the most vital factor in successfully mitigating business impact. We spoke with security experts and CISOs who have navigated high-stakes incidents. Here they offer hard-earned from-the-trenches best practices that are typically left out of incident response plans but are essential to leading successfully under attack.<\/p>\n

<\/a>Establish authority and decision-making responsibilities<\/h2>\n

Before a CISO can step up during crisis, it must be abundantly clear they are the leading authority in responding to any cyberattack. This may seem obvious, but as Greg Crowley, CISO of <\/a>eSentire has found, there isn\u2019t always clarity when the alarms start going off.\u00a0<\/p>\n

\u201cI\u2019ve been through some incidents in the past where roles and responsibilities were not clearly documented or understood or agreed upon ahead of time, and that just causes confusion. And when you\u2019re going through a crisis, you need to know who is in charge,\u201d Crowley says.<\/p>\n

The organization needs to document the overall leader and the organizational structure in detail, in advance, Crowley says. \u201cThe roles and responsibilities of all the executives, of all the team players, what they\u2019re doing \u2014 and that the CISO is the overall executive in charge,\u201d he says, noting that the CEO should still have override privileges.<\/p>\n

Esteban Gutierrez, CISO and VP of information security at New Relic, says incident response plans frequently outline what to do but not who makes specific decisions, such as communicating an incident\u2019s impact on customers.<\/p>\n

\u201cMake sure you have a really clear understanding of who\u2019s going to make what kind of decisions and who takes that accountability,\u201d Gutierrez says.<\/a><\/p>\n

<\/a>Develop muscle memory \u2014 and patience \u2014\u00a0through simulations<\/h2>\n

Authority under crisis is meaningless if you can\u2019t establish followership. And this goes beyond the incident response team: CISOs must communicate with the entire organization \u2014 a commonly misunderstood imperative, says Pablo Riboldi, CISO of nearshore talent provider BairesDev.<\/p>\n

\u201cI find that employee involvement tends to be overlooked during cyberattacks. Many times, employees aren\u2019t even aware of their role during a crisis, which can create chaos when things go sideways,\u201d says Rioboldi, who advises regular training in the form of staff simulations and tabletop exercises<\/a> to prepare the company and make everyone feel more confident.<\/p>\n

James Ngui, sales engineering director at Trend Micro, also recommends simulations<\/a>, particularly those that mimic the emotional intensity of actual incidents, as stress and pressure during a security incident can negatively impact team performance.<\/p>\n

\u201cOrganizations should provide training on stress management and decision-making under pressure, which includes perhaps mental health support resources in the incident response plan,\u201d Ngui says.<\/p>\n

Larry Lidz, vice president of CX Security at Cisco, also advocates for tabletop exercises as a way to get employees to \u201clook at problems through a different set of lenses than they would otherwise look at them.\u201d<\/p>\n

Lidz led a simulation of a flu-based pandemic at a previous company, which came in handy during COVID-19. Although some of their assumptions were incorrect, they were able to quickly adjust to working remotely and maintaining business continuity based on their previous exercise.<\/p>\n

Lidz suggests all levels of the organization, including the technical team and senior leadership, conduct tabletop exercises. He also recommends a combined simulation where the technical team is in one room, executives are in another, and each group has to wait on the other before deciding what action to take next.<\/p>\n

\u201cOne of the most difficult things that I see executive leaders deal with during security incidents is the need to be patient. When we\u2019re dealing with security incidents, there\u2019s a ton of unknowns, and there\u2019s a ton of analysis that needs to go on. Sometimes that means the right thing for an executive to do is sit and wait for that next update,\u201d Lidz explains.<\/p>\n

Linux Foundation\u2019s Robinson is another proponent of tabletop exercises. He says that his organization runs simulations for its open-source upstream projects so that people understand what is required of them in the middle of a crisis. \u201cIt helps develop some muscle memory so that when the red phone rings, they at least are familiar with the terms and what they need to do,\u201d he says.<\/a><\/p>\n

<\/a>Maintain calm in the face of the storm<\/h2>\n

Remaining calm in the face of a cyberattack can be challenging, but prime performance requires it, New Relic\u2019s Gutierrez says. \u201cThere\u2019s a lot of reaction. There\u2019s a lot of strong feelings and emotions that go on during incidents,\u201d Gutierrez says.<\/p>\n

Although they had moments of not maintaining composure, Gutierrez says they have been generally calm under cyber duress, which they take pride in. Demonstrating composure as a leader under fire is important because it can influence how others feel, behave, and act.<\/p>\n

\u201cThat really helps with not just your teams, but also senior leaders, senior management, other stakeholders across the company, and your board and sometimes with your customers,\u201d Gutierrez says.<\/p>\n

eSentire\u2019s Crowley says that another pitfall is not getting too lost in the technical details. \u201cThe CISO should not be the hands-on keyboard person during an incident response. Those responsibilities should fall to others on the response team,\u201d he says.<\/p>\n

Crowley analogizes the CISO to the military leader who should survey the battlefield. \u201cThe CISO needs to know that their role is to be that composed leader in charge. They need to be focused on leading the team, setting the strategy, bringing in external support, clearing roadblocks, answering questions, and communicating,\u201d he says, emphasizing that cybersecurity incidents have their own \u201cfog of war.\u201d<\/p>\n

Trust your team \u2014 and open yourself to outside help<\/h2>\n

When crisis hits, CISOs can often fall into a responsibility trap, trying to do too much on their own.<\/p>\n

\u201cA lot of times, the CISO might feel the pressure that they need to handle everything. \u2018Oh, this is what I\u2019ve been hired for. I need to be the one resolving this,\u2019\u201d Crowley says.<\/p>\n

Although every company varies in its cybersecurity resourcing, few organizations can handle incidents entirely in-house. CISOs must be humble enough to know when to seek external help.<\/p>\n

\u201cIn retrospect, if you\u2019re going through a cyberattack, nobody\u2019s going to care if you save some money by not bringing in external counsel or external incident response if that would have saved your company,\u201d he says.<\/a><\/p>\n

<\/a>Create social capital across the company<\/h2>\n

Trend Micro\u2019s Ngui says engaging employees during a cyberattack requires using language appropriate for the audience at hand. According to Ngui, CISOs and technical leaders often speak in jargon that is difficult for the rest of the organization to understand. Security leaders should instead develop a common vocabulary aimed at a layperson to ensure employees understand the situation and their roles in responding to it.<\/p>\n

\u201cIt is essential for the technical team to cultivate the ability to convey intricate security incidents in terms of clear, actionable business impacts. This skill enables executives and other stakeholders to understand the situation fully and make informed decisions,\u201d he says.<\/p>\n

Engaging with stakeholders is easier when you already have built rapport with them. New Relic\u2019s Gutierrez says this is essential because the cybersecurity team will be experts in incident response but may lack knowledge in other critical areas. \u201cThey\u2019re not always experts at specific parts of a company\u2019s infrastructure or products or services. And that\u2019s where we need the skills and knowledge that our partners across the company have to assist with,\u201d Gutierrez says.<\/p>\n

To address this gap, Gutierrez recommends building relationships with colleagues across the organization, such as marketing, sales, and finance. At New Relic, the incident response team has leaned heavily into its relationship with engineering, which has assisted with data analysis to understand issues when incidents have transpired.<\/p>\n

\u201cHaving that pre-established relationship made it very easy to get things done. There was no questioning. They understood. There wasn\u2019t very much pushback. It was easy to get people\u2019s time and skilled efforts,\u201d Gutierrez says.<\/p>\n

eSentire\u2019s Crowley advises CISOs to use specific channels to create rapport with different stakeholders, such as biannual security updates to connect with the board of directors. Crowley believes these connections create goodwill and crucial understanding that will go a long way toward ensuring collaboration and support during a cybersecurity incident.<\/p>\n

\u201cWhen there is a crisis, they know you; you know them. You know the best way to communicate with them and the questions they\u2019re going to ask, and you\u2019ve already established that you are the person in charge,\u201d he says. \u201cThey don\u2019t have to be worried.\u201d<\/p>\n

<\/a>Take accountability through action<\/h2>\n

Sakshi Grover, senior research manager for IDC Asia, advises organizations facing a cyberattack to avoid the blame game. Instead, CISOs should take ownership and move forward with leading the response. \u201cPeople usually want to see a senior face come and take accountability,\u201d she says.<\/p>\n

Adriyan Pavlykevych, CISO at <\/a>SoftServe, shares this belief and offers an example. A ransomware attack struck the software development and consulting company after a successful phishing attempt on an associate. The threat actor moved laterally, compromising administrative accounts before encrypting virtual machines.<\/p>\n

Because the attack affected customers, Pavlykevych met right away with their infosec teams, providing ongoing briefs on progress, incident investigation, and recovery \u201cto ensure transparency and accountability,\u201d an essential part of SoftServe\u2019s cybersecurity ethos, Pavlykevych says, noting that this approach strengthens trust with stakeholders.<\/p>\n

After the ransomware attack, SoftServe reviewed and audited its security controls, which eventually led to an improved approach to file storage and sharing of personal and client data, as well as security and privacy awareness workshops<\/a> for associates. Addressing the underlying issues that led to the breach and enabled it to advance is vital \u2014 but not through finger-pointing.<\/p>\n

IDC\u2019s Grover says that despite the CISO\u2019s best efforts, there will still be reputational harm from a cybersecurity incident. Rebuilding trust after a cyberattack<\/a> can be challenging but is essential.<\/p>\n

\u201cIf you take all the right steps in the right direction, you can reverse this brand image,\u201d Grover says, adding that CISOs may want to consider the expertise of a PR agency or consulting firm to assist with this task.<\/p>\n

CISOs should also give special consideration to communicating with the board, which may influence high-level cybersecurity investments in products or services that may reduce exposure to future attacks, she says.<\/p>\n

\u201cGo to the board. You clearly outline why: What was the cause of the breach? What are [your] lessons learned? You accept the responsibility, and then you slowly move towards regaining your credibility as well,\u201d she says.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

An incident response plan is central to ensuring your organization is prepared for a cyberattack. But such documents, which detail steps that should be taken in the wake of various cyber scenarios, generally treat security response as a technical process. As Christopher Robinson, chief security architect of The Linux Foundation, puts it: \u201cThese plans are […]<\/p>\n","protected":false},"author":0,"featured_media":2555,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-2554","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2554"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2554"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2554\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/2555"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2554"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2554"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2554"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}