Engaging Stakeholders In Incident Response Planning

Materiality is the new buzzword in CISO-land. The SEC cyber incident disclosure rule is causing consternation galore. What's a public company to do? But first, the story. After years of saying "OMG, a security incident could be material.", we're now being asked to put our disclosures where our mouths are by notifying the SEC (publicly!) if an incident is material. Materiality was an easy word to throw around when cybersecurity was lightly regulated. Now, companies regulated by the SEC (including foreign ones that trade in the US) need to be more careful and do some real analysis. Here's one way to play it. 1. In your privileged IR plan (you do have one, don't you?), document the process. Typically, your CLO, CFO, and CEO will be part of the committee that decides on materiality. Decide what level of involvement the Board should have. 2. But there's a set of SMEs that provide the data for the committee once the IR team decides that the incident is "big deal enough". This includes some subset of lower-level GMs, legal counsel, regulatory counsel (inside and outside), CTO, CISO, Operations (incl. Customer Care), and Finance. Note here - As a CISO, it's not your job to judge materiality, but to provide facts for your committee. 3. Set specific parameters for the SMEs to report on. Some will be quantitative, others will be qualitative. Here's a starting list. * Explicit revenue loss expected * Cost of incident response expected * Customer reaction expected (qualitative – e.g., how your top 5 customers will react) * Customer impact expected (qualitative) * Stock price reaction (qualitative from knowledge of prior incidents in the industry) * Publicity and reputation risks (and therefore impact on stock price above) * Type, scale, and scope of data impacted (and how the market reacted to other companies’ incidents in the past) 4. Exercise your new, shiny process in simulations. Find what works and what doesn't. 5. Tweak your process appropriately and rinse/repeat steps 1-5 annually to account for changing conditions. What would you add/remove/change? PS, good reading: https://lnkd.in/eKaEzCBg -- Interested in more content like this and don't want to miss a post? Connect with me for 3x/week posts on cybersecurity, leadership, photography, life lessons & personal finance (View my profile, click 🔔). #lessonsfromaCISO #cybersecurity #security #infosec #commonsense #leadership #leadershipadvice #cyber #CISO #incidentresponse #disclosure 🔐

You’re the newly hired Compliance Lead at a fast-growing tech startup. Two weeks into your role, you discover that the company has no formal incident response plan in place, even though it recently experienced a ransomware attack. Leadership is concerned but doesn’t know where to begin, and employees are confused about their roles during an incident. Your CEO asks you to draft a basic Incident Response Framework and outline the top 3 immediate steps the company should take to prepare for future incidents. - What would your first draft framework include? (Hint: Think of NIST’s Incident Response Lifecycle – preparation, detection, analysis, containment, eradication, and recovery.) - How would you ensure team alignment across IT, legal, and operations? (Hint: Consider regular tabletop exercises, clear role definitions, and a central incident communication channel.) - What tools or processes would you recommend to track and report incidents effectively? (Hint: Look at tools like Splunk for monitoring, Jira for tracking, and SOAR platforms for automation.)

Having worked in insurance for many years and understanding the importance of keeping your insurer on notice if there is a potential for a claim, I wish more would engage with their insurer during the first phases of an incident response. During incident response tabletop exercises I've had the pleasure of being a part of, communications with the insurer tend to be an afterthought. Most do not have a clear idea of what their cyber policies cover and are surprised to hear that their insurer may provide resources and panel experts to help the policyholder navigate an incident response more efficiently. Insurers should be included as part of the core IR team and be pulled in during the earlier stages of an incident response. For one, they have specific reporting requirements that need to be met but they can also relieve some of the burden that lies with the victim organization and serve as a guide during high stake situations. #incidentresponse #cyberinsurance #tabletopexercises