The CEO Cybersecurity Playbook, Part 2: Leading Through a Crisis
Why does a CEO even need a cybersecurity playbook? Isn’t that a technological issue?
Not anymore. Because any breach has the potential to take a company down, cybersecurity is now a leadership issue. Whether you lead a company that has an entire internal IT team, or you lead a small company with 20 employees and outsource all of your IT needs, one thing is always true: as the CEO, you will be the face of the company during any crisis.
If you’ve worked with experts to create a multilayered cybersecurity plan, chances are excellent that the breach will not allow criminals to access your most critical data. But, at the same time, great reputational damage can be done in hours or days. For that reason, after your cybersecurity posture is set and your incident plan is in place, your next steps are to lay out your exact steps for communicating to all your stakeholders, internally and externally, that
the company is stable
all customer, partner, and employee data is safe
everyone can confidently continue to do business with you.
Successfully leading a company through a cybersecurity breach requires decisive, transparent, and strategic actions in order to protect the organization, its stakeholders, and its reputation.
What steps does a CEO need to take in order to lead effectively during a cybersecurity breach?
1. Activate the predefined crisis management plan (see Part One). This plan has been tested, rehearsed, and updated regularly (right?!), so as CEO, you and your team should know exactly what to do when this plan goes into effect.
2. Take immediate ownership. As CEO, you will be driving the decision-making and messaging – whether you want to or not – so you might as well step into that role with strength. The CEO must take responsibility and lead the response efforts, demonstrating accountability and control. When you do this, you will create calm among your key stakeholders and set the tone for everyone who must help overcome the challenges ahead. Investors must be reassured. Boards of directors will require updates. Customers demand assurances that business will be uninterrupted. For all the challenges ahead, communicating your total ownership of the situation will instill the confidence you need to recover quickly and with minimal damage.
3. Prioritize containment and mitigation and establish technical communications. The incident response team will be focused on two things: 1, stopping the breach and 2, assessing systems so that all impacted areas can be isolated. Unless you are a highly technical CEO, you will likely not be addressing the technical steps required to manage the breach. That said, you will be required to communicate masterfully about all of the steps that have been taken – what was done and why – so staying in step with your technical experts is crucial. As part of your planning with the technical team, establish a specific contact and cadence for communication so that you can remain informed.
4. Communicate transparently. Each of your key audiences will have different concerns, and, as CEO, you want to be sure you’re addressing them transparently and specifically. Your internal audiences – employees – will be concerned about the status of the company and their jobs, but they will also want to help. Make sure you’re keeping them in the loop about any way they can aid in the recovery.
External communication, with customers, partners, and the public in general, should be as candid as possible without creating any risks to your technical response. Your goal, externally, is to stay in control of the narrative and avoid allowing any misinformation to take hold. In many cases, particularly if your company is required to comply with specific regulatory authorities, you will want to engage the advice of your company’s legal counsel or crisis communications experts.
5. Protect stakeholders. One of the primary messages you will deliver to your stakeholders is how you are addressing their safety and concerns. Some options include offering resources like credit monitoring or identity theft protection if sensitive data was exposed and providing clear instructions to employees on how to handle the situation, including avoiding phishing attempts or sharing unverified information.
6. Learn and adapt. And communicate that, too. After the breach is contained, review what went wrong and identify gaps in the organization’s cybersecurity defenses. Your whole crisis response team will need to participate so that you can assess the success of each step in your plan and what adjustments might need to be made. Now is also the time to invest: depending on your previous level of investment in your cybersecurity posture, you will need to consider allocating additional resources to strengthen cybersecurity measures, update policies, and train employees to prevent future incidents.
Communication will play a key role in wrapping up the promises you made to your employees, clients, partners, and investors. There is a fine line to walk, of course, because you don’t want to reveal too much about the specific lines of defense in your cybersecurity plan. Work with your technical and communications team to establish sound messaging to reassure external and internal audiences that safety has been restored.
Conclusion:
In a survey conducted by technology leadership-as-a-service firm Fortium, 67% of CEOs responded that they are very concerned about cybersecurity, but 44 percent of them also disagreed or strongly disagreed that their companies were prepared for a breach. There is no reason for any CEO to continue feeling that their company is exposed. That’s no way to sleep well at night. The steps above, and in part one, provide a beginning framework for how a CEO can effectively establish a cybersecurity posture, a crisis management plan, and a personal plan to lead that company through a cybersecurity breach, minimizing damage and positioning the organization for a stronger, more secure future. And as always, if JSCM Group can be of help, we’re always here.