{"id":3517,"date":"2025-06-11T07:00:00","date_gmt":"2025-06-11T07:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=3517"},"modified":"2025-06-11T07:00:00","modified_gmt":"2025-06-11T07:00:00","slug":"8-things-cisos-have-learned-from-cyber-incidents","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=3517","title":{"rendered":"8 things CISOs have learned from cyber incidents"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

When a cyber incident happens, it\u2019s more than just an isolated event. For many CISOs, it reshapes their approach to resilience, risk management, and even their personal well-being in the job.<\/p>\n

Several security leaders reflect on the lessons from real-world incidents and why it\u2019s vital to share them with the community to strengthen collective resilience, break down the stigma around breaches, and help others who may face an incident themselves.<\/p>\n

1. Share learnings and improve security for all<\/h2>\n

CISOs in the eye of the storm should expect media attention and all sorts of different agendas from people who weigh in on an incident.<\/p>\n

\u201cYou get the attention of the world very quickly,\u201d says Solarwinds CISO, Tim Brown.<\/strong><\/p>\n

And it isn\u2019t all well-intentioned as some commentators use an incident to further their own interests, whether it\u2019s to raise their profile, speak poorly of another organization, or just get into the news cycle.<\/p>\n

On the other hand, some incidents present an opportunity to help the industry at large because all sorts of people are paying attention, including good researchers, according to Brown.<\/p>\n

There may be legal, corporate, and regulatory considerations with what you can share. But in terms of the technical playbook, there are likely to be things worth sharing.<\/p>\n

Brown believes there are often important lessons that come out of breaches, whether it\u2019s high-profile ones that end up in textbooks and university courses, or experiences that can be shared among peers through conference panels and other events. \u201cAlways look for good to come from events. How can you help the industry forward? Can you help the CISO community?\u201d he says.<\/p>\n

Todd Thorsen, CrashPlan CISO, agrees there are tactical lessons that come with being involved in an incident. Sometimes an incident is the perfect test case of what shouldn\u2019t happen, says Thorsen, who was on the cybersecurity team during the Target data breach<\/a> of 2013.<\/p>\n

His approach is to conduct blameless post-mortems to understand root causes, create a safe environment for open discussion, and identify what could have been done better. The goal is to analyze processes without fear of repercussions. He encourages security people to share learnings with the community because \u201cin the end everyone\u2019s fighting the same battles\u201d.<\/p>\n

Sharing insights is also an important way to build support networks across the wider community and pay it forward because a time may come when you need to turn to your peers. \u201cYou never know when you might need to \u2018make withdrawals\u2019 from the community later,\u201d Thorsen says.<\/p>\n

2. You\u2019ll need shift from defense to offence<\/h2>\n

The role and the CISO won\u2019t be the same after an incident.<\/p>\n

\u201cMy job on December 11 was very different from my job on December 12 and beyond, says Brown.<\/p>\n

Following an incident, some organizations need to change to such an extent that they need a different CISO with a different approach. The CISO isn\u2019t always let go because they were incompetent or people believe it was their fault, according to Brown. A lot depends on the situation and how the CISO can adapt.<\/p>\n

\u201cIf you want to be the post-incident CISO then you really need to have the skills to be that, and they\u2019re very different from the skills that you needed the day before,\u201d says Brown.<\/p>\n

Many incident-hardened CISOs will shift their approach and their mindset about experiencing an attack first-hand. \u201cYou\u2019ll develop an attack-minded perspective, where you want to understand your attack surface better than your adversary, and apply your resources accordingly to insulate against risk,\u201d says Cory Michel, VP security and IT at AppOmni, who\u2019s been on several incident response teams.<\/p>\n

In practice, shifting from defense to offence means preparing for different types of incidents, be it platform abuse, exploitation or APTs, and tailoring responses.<\/p>\n

Michel includes red team exercises<\/a> and live fire drills in the offensive play. It also means periodically stepping back, starting afresh, and challenging the current security approach to look for gaps and weaknesses. Incumbent CISOs \u201ccan become blinded to the current situation because they\u2019re so immersed in the details,\u201d he tells CSO.<\/p>\n

3. You\u2019ll develop a tactical playbook for handling incidents<\/h2>\n

Incidents are a reminder that a well-practiced response plan<\/a> needs to be in place. It should designate a strong internal coordinator, with scope to draw on external expertise such as breach coaches and legal counsel.<\/p>\n

\u201cYou need core people to talk to the press, engage with the insurance company, start investigating if you can\u2019t restore data, and know how to communicate with the attackers about a ransom,\u201d XYPRO CISO Steve Tcherchian says.<\/p>\n

Without clear roles and responsibilities, panic sets in very quickly, Tcherchian has found. \u201cRight off the bat, it\u2019s \u2018what do we do? Who\u2019s in charge? Who do we call? Who do we involve? Who do we not involve?\u2019,\u201d says Tcherchian, who\u2019s acted as an advisor in the aftermath of ransomware attacks.<\/p>\n

The playbook needs clear guidance on communication, during and after an incident, because this can be overlooked while dealing with the crisis, but in the end, it may come to define the lasting impact of a breach that becomes common knowledge.<\/p>\n

\u201cEvery word matters during a crisis,\u201d says Brown. \u201cOf what you publish, what you say, how you say it. So, it\u2019s very important to be prepared for that.\u201d<\/p>\n

The playbook also needs to outline the endpoint so a decision can be made about when to shut down the investigation of the incident. \u201cOne of the hardest parts of managing a cyber incident is knowing when to stop investigating it,\u201d says George Gerchow, faculty at IANS Research and Bedrock Security CSO.<\/p>\n

If there are large teams investigating the incident, they\u2019re likely to start uncovering other things, but if they\u2019re going down rabbit holes it can distract and delay from the issue at hand.<\/p>\n

CISOs need to accept some doors may be left open, but if they\u2019re smaller risks, it\u2019s important to not lose sight of the incident. \u201cThe key is to focus on the \u2018known knowns\u2019, be transparent, and bring the incident to a close, with the primary goal of determining if data was exfiltrated,\u201d says Gerchow, who\u2019s been through incidents at SumoLogic and MongoDB.<\/strong><\/p>\n

4. Overlook robust, monitored backups at your peril<\/h2>\n

If an incident happens that compromises data, having unprotected or inadequate backups can be a costly oversight. Where it\u2019s happened, CISOs have learned the hard way never to assume backup systems are secure and fully functional.<\/p>\n

\u201cA lot of ransomware attacks nowadays, they\u2019ll target the backups first before doing anything. They\u2019ll target your restore location, your restore points, your backup media. They\u2019ll make sure to disable your ability to restore your data and avoid paying the ransom,\u201d says Tcherchian.<\/p>\n

Even if the decision is to pay the ransom, there\u2019s no guarantee the business will get the data back and this underscores the need to ensure backups are isolated and working.<\/p>\n

Tcherchian recommends regularly testing and verifying that backup systems are functioning and clean. \u201cYou might have a vulnerability or a malicious payload on your network, and it might be sitting there for 30, 60 days, meaning it\u2019s being copied into your backups constantly,\u201d he says. \u201cIf you think you\u2019ve been attacked, you\u2019re going to restore from your backup, and all you\u2019re doing is reintroducing that virus or that malware back into your environment.\u201d<\/strong><\/p>\n

5. Set the security bar higher<\/h2>\n

After an incident, you\u2019re likely to view your security posture differently and this includes continuously working to improve security processes. The aim is to better than just compliant. Be prepared to reinvent and rebuild systems to be more resilient, implement multi-layered security measures, consider higher levels of compliance, more tabletop exercises<\/a>, security auditing, red teaming, end-point protection and so on.<\/p>\n

\u201cEach one of those leads us to more of an exemplary model that we can hold up to say, \u2018yes this happened to us and now we\u2019re doing things that can be better\u2019 and sharing that,\u201d says Brown. \u201cThe approach is how do we practically make things much more difficult, against an infection or another targeted breach.\u201d<\/p>\n

Incident-hardened CISOs may also change their approach to tabletop exercises. In Brown\u2019s case, they\u2019re now happening more often and feature more serious potential events because when you\u2019ve been through an incident you know that it\u2019s possible.<\/p>\n

\u201cOnce you live through it, your tone is very different. And the idea that it was theoretical prior to becoming actual is ingrained in any of us that have gone through it,\u201d he says.<\/p>\n

6. Stay vigilant against shiny-object syndrome<\/h2>\n

One of Michel\u2019s take-aways is to avoid getting distracted by cool, interesting new tools, but it may be hard in an industry awash with big claims and confusing terms. \u201cThe industry as a whole has shiny-object syndrome,\u201d he says.<\/p>\n

Instead, focus on security measures such as vulnerability management and patching, robust detection and response programs, strong authentication methods like zero trust and passwordless authentication, employee education and training, and live-fire incident response exercises to test readiness. Above all, stay vigilant against the big sell.<\/p>\n

\u201cEveryone hates doing vulnerability management, but it\u2019s one of the most important things you can do to understand your attack surface, know where the vulnerabilities are and remove them to the point where you\u2019re comfortable with the risk,\u201d he says.<\/p>\n

7. Funding can flame out after an incident<\/h2>\n

Incidents have a way of focusing attention on cybersecurity. Suddenly, the board and executive leadership all want to talk cyber<\/a>, hear about risks and there\u2019s money on the table so that people can sleep again at night.<\/p>\n

It can be music to the ears of CISOs who\u2019ve been trying to secure more funding, but the focus \u2014 and the dollars \u2014 can be short lived.<\/p>\n

\u201cWhen you\u2019ve been saying \u2018these are the risks\u2019 and then all of a sudden you find yourself in that position, then exec staff, the board, everyone, all they want to talk about is cyber for a while, but then it starts diminishing a bit,\u201d says Gerchow.<\/p>\n

Expectations rise in line with budget increases. The problem is that it takes time to do due diligence to bring in the right tools and the right skill sets. But if the budget hasn\u2019t been used up in a certain amount of time, executives might reallocate it to other areas once the intense, post-incident focus has faded.<\/p>\n

This puts CISOs in the difficult position of having to explain to the board and other executives what the loss of funding means, when many would rather focus on metrics and improvements. \u201cCISOs may talk about risks and progress made against the incident, but not talk about, potentially, how budget and positions are being taken away,\u201d he says.<\/p>\n

8. You must look after yourself at all times<\/h2>\n

If there\u2019s one common, overarching lesson for CISOs, it\u2019s that you must look after yourself, legally<\/a>, professionally and mentally<\/a> throughout your tenure in the industry.<\/p>\n

With burnout, high stress and increasing responsibilities, many CISOs are feeling the pressure of the role. Incidents add to these stressors, but they\u2019re becoming more commonplace as the frequency of attacks rises.<\/p>\n

\u201cIncidents are commonplace, unfortunately; it\u2019s part of the job,\u201d says Thorsen.<\/p>\n

Brown encourages CISOs to recognize the potential health impacts of high-stress roles and establish the right support system, which will be vital when an incident occurs. And not to underestimate how stressful being in the eye of the storm can be on your coping mechanisms.<\/p>\n

\u201cOne of the big messages is although you might think you\u2019re managing stress, you might not be doing it well,\u201d Brown says. \u201cCISOs jobs are hard enough, so people have to find an outlet. But during an event, it gets even worse. Acknowledge this and build a personal plan for yourself, because one approach doesn\u2019t suit everyone for this type of thing.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

When a cyber incident happens, it\u2019s more than just an isolated event. For many CISOs, it reshapes their approach to resilience, risk management, and even their personal well-being in the job. Several security leaders reflect on the lessons from real-world incidents and why it\u2019s vital to share them with the community to strengthen collective resilience, […]<\/p>\n","protected":false},"author":0,"featured_media":3518,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-3517","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3517"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3517"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3517\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/3518"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3517"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3517"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3517"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}