So all your preventative measures have failed – to be fair, they succeeded for the last few thousand hacks, but the bad guys got lucky once, and you now have a full blown incident underway. Unfortunately you (the CEO) is at 23,000’ knocking K2 off their bucket list. How does your company execute?
Let’s expand the scenario a bit more. Turns out it’s a bad one, with serious implications for business operations and significant customer impact. Decisions need to be made right nowto mitigate and respond – both technically and to your customers. The security team has their runbooks, notification trees, and incident response plans in place (you do have all that, right?). They’ve notified PR, Legal, the CISO, and the on-deck line of business leadership. Each of those teams is assembling and starting to launch their own parts of the plan. So far, so good.
Now’s where it usually breaks down. You have hundreds of angry customers calling on the phone, and they all want resolution. Response plans rarely extend to business operations, let alone to customer remediation; most organizations try to use existing day-to-day processes, which fail miserably. When there’s a major disaster, hospitals change their workflow. They don’t look for insurance cards – they treat the wounded. Does your call center?
This is not the time to parse expense authority though five layers of management with graduated clip levels, let alone try to run your day-to-day customer care plans. During a crisis, the goal has to be to resolve the customer’s situation on the very first call. You might get away with one level of escalation – as long as hold times are short and calls don’t drop – but as soon as you have to call them back, the customer will be fuming, and probably calling your competitors. And woe to the bottom line if they aren’t called back as promised. Goodwill doesn’t come back easily, if at all.
Avoiding this starts at the very top. The commander’s intent has to be clear, concise and easy to understand. During a recent ransomware outbreak, the CEO told the entire staff to ‘make it right for the customer, we’ll cover the cost’. Full stop.
Now if you have a strong command and control culture, I’ve probably just caused a heart attack. But the point is clear – you need a different set of rules on deck when a disaster – cyber or otherwise – strikes. On declaration, the teams break glass on the case, crack the code books, and execute a streamlined workflow that includes escalated authority for the duration of the crisis.
The next time you do a cyber range drill or tabletop exercise, include an angry customer in the scenario. See what happens. I’ll bet that in most organizations your staff will either resort to daily procedures, platitudes, playing hot potato, or just wing it. Very few teams have the modified workflow in place to handle a disaster when it strikes, let alone have a clear statement of their commander’s intent.