Just five years ago, CISOs tended to be seen as one of two extremes—either as the hero of the hour or the weak link, depending on whether they were viewed as having saved their company from a cyber crisis or as having allowed it. Now, there is almost a competition among global cybersecurity leaders—who can be “the world’s quietest CISO.”

It helps that today, CISOs generally don’t need to shout as loud within their own organizations. Cybersecurity is fast becoming part of every workforce’s vocabulary, and now CISOs are better informed and prepared to manage current and future cyber business risks than they were in the past. And improved cybersecurity protection is helping them to make progress—our earlier research showed that direct attacks are down 11 percent from the previous year and security breaches have dropped by 27 percent as attackers are forced to look for weaker links in the supply chain.[1]

<<< Start >>>

In an ever-changing world where threats are evolving, it’s not enough to build good defenses. Security teams must go further.

<<< End >>>

Even so, in an ever-changing world where threats are evolving, it’s not enough to build good defenses. Security teams must go further, and that involves getting up close and personal with how they manage, communicate and engage—especially with the C-suite and Board—as they plan for and handle cyber incidents across the enterprise. 

Naturally, the first steps during any incident are to resolve the matter, quickly and with minimal disruption to the business. But it is not always possible to restrict the damage to an organization’s four walls. The impact of an attack can cause far-reaching reputational damage and incur regulatory fines that can outweigh any internal costs.

Three factors are converging to put pressure on how CISOs respond to incidents:

The threat landscape and the defense surface are incredibly fluid.  Cybercriminals are taking advantage of not only companies’ rapid transformations to work from home, but also remote employees’ susceptibility to new COVID-19 themed attacks.  Threat actors are exploiting the often-weak security for remote workers.

Legislators are stepping up the pressure. Governments around the world are reacting to cyber incidents by introducing tougher regulations and new legislation around data security and privacy—increasing the complexity of the patchwork that is already in place.  

Government enforcement actions are increasing. Where laws or regulations are already in place, regulators are stepping up enforcement.  The United States Securities and Exchange Commission (SEC) has increased its focus on companies’ timely disclosure requirements; the United States Federal Trade Commission (FTC) has sharpened its typical guidance to companies where it opens cases;[2] European Data Protection Authorities are flexing their muscles with more than €490 million fines to date; and the California Attorney General is just starting to enforce the California Consumer Privacy Act.

Seek legal first

With these issues in mind, the latest Accenture Cybersecurity Forum (ACF) roundtable on September 3 called together Accenture Security subject-matter experts, legal advisors and industry peers from diverse companies to explore the actions CISOs should take to protect their enterprises, the public, and themselves.

The lively debate recognized that most CISOs are highly disciplined—focused on collaboration, preparation and documentation—which serves them well in managing legal risks. With this in mind, forum members agreed that, despite the media focus on charges brought against a high-profile CISO that allege obstruction of justice in a ransomware case, it does not appear that this is the beginning of a trend of United States Department of Justice (DOJ) actions against CISOs.  Even so, it highlights the danger of revealing too little too late and is a wake-up call for any CISO.

CISOs have a highly specialized role and the buck generally stops at the CISO’s door when incidents occur. However, leading CISOs agree that they need to be almost attached at the hip to their legal counsel and business unit leadership when responding to an incident. For example, in the event of a cyber incident, a CISO should not be unilaterally deciding what information to share and not share externally, including with the government. Further, CISOs may need practice in storytelling and other aspects of conducting effective training—so they can communicate effectively with the C-suite, instill a culture of security in the workforce, and avoid the catastrophic: “We didn’t know what to do” reaction during an incident. 

According to security leaders with deep cybersecurity experience, CISOs should adopt these five leading practices:

  1. Consider details of your employment contract. CISOs should document their relationship with the enterprise, including a detailed description of their job, terms of termination, reporting relationships, escalation path, governance responsibilities, and even resources they require, if possible. While not always in a contract, documenting the resources required for effective security is particularly important when navigating business strategy or leadership changes.
  2. Develop a response playbook. Clearly document key activities, such as identification and classification in an incident response playbook; this should detail how threats are evaluated, escalated, and prioritized so that the response is consistent and well-documented.
  3. Govern communications. Establish clear communication paths and information governance so that CISOs and the rest of the response team (for example, Legal, Communications, CEO, CFO) are assigned specific communications roles and responsibilities for reporting, internally and externally.
  4. Undertake advance planning. Prepare a communications plan in advance to identify and map out plans for addressing potential disclosure obligations that may arise. For example, various data protection and breach disclosure laws require disclosure of an incident within a certain number of hours, and these requirements often differ by jurisdiction. Many cyber insurance policies also include disclosure requirements.
  5. Develop robust communications security. During an incident, when “the fog of war” makes communications difficult, having a predetermined secure channel for notification and collaboration can be invaluable. Pre-approved templates can contribute to speed and accuracy for sensitive communications, for example updates to the CEO or Board.

Our esteemed panel of CISOs highlighted three other considerations that are critical for effectively managing incidents:

  1. Build mutual trust and muscle memory: Use tabletop exercises and scenario planning with key members of the response team, and also including key business leaders and Board of Directors or the Audit Committee. This activity builds trust, shared understanding, and shared expectations, so that incidents don’t become crises unnecessarily. 
  2. Test governance: CISOs should take ownership by tackling governance issues head-on and asking difficult questions, such as how the enterprise should respond in specific situations. 
  3. Keep records: Clear and accurate records can make all the difference during escalating incident response situations.  Assign someone to document all conversations and decisions to enable a precise audit trail that prevents problems later on while also serving to enable lessons-learned.

CISOs who want to better manage legal, business and reputational risks should embrace greater collaboration, preparation and documentation—and there’s no need to be shy; your business knows that it’s too important to keep quiet about security.

 

Accenture Security

Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence.  Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.

Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this report is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.

Copyright © 2020 Accenture. All rights reserved. Accenture, its logo, and High Performance Delivered are trademarks

___

[1] Innovate for Cyber Resilience: lessons from leaders to master cybersecurity execution, Accenture 2020. https://www.accenture.com/gb-en/insights/security/invest-cyber-resilience
[2] New and improved FTC data security orders: Better guidance for companies, better protection for consumers, Federal Trade Commission, January 2020.  https://www.ftc.gov/news-events/blogs/business-blog/2020/01/new-improved-ftc-data-security-orders-better-guidance

Kelly Bissell

Lead –​ Accenture Security

Subscription Center
Subscribe to Security Blog Subscribe to Security Blog