How Business Leaders Can Take the Charge in Breach Response

Defective cars. Stranded travelers. Industrial accidents. Business leaders must cope with crises of all shapes and sizes. How well they weather a crisis is a mark of their leadership ability.

While it’s impossible to plan for every disaster, executives can be sure their company will be breached sooner or later. They can also be sure that employees, customers, regulators, and the press will be looking toward them for guidance and answers.

In our Customers Come First: Data Breach Response Survey, nearly a third of respondents said their organization looks to leadership to determine the breach response. And a Hewlett-Packard Enterprise Security Services survey, conducted by Ponemon Institute, found that 79 percent of senior executives believe top-level involvement is critical to achieving a successful response.

Report: When a data breach strikes, what’s the best way to respond?

Putting Breach Response in a Business Context

Unfortunately, many CEOs and other executives don’t know what to do when a breach strikes. According to HP Enterprise Security Services, many CEOs are neophytes when it comes to understanding security and breach risk. Andrzej Kawalec, chief technologist for Security Services at HPE, said that CEOs must protect critical assets and ensure that their organization is prepared for the inevitable breach.

But to ensure such preparation happens, CEOs must see security in a business context. “Understanding what the assets are, where you operate—online and geographically—and how your business operates in the digital landscape are vital to understanding risk,” Kawalec said. “These will lead to more mature, useful questions such as ‘What’s our level of maturity?’ and ‘Where do we need to invest and transform?’”

CEO Leads the Incident Response

Beyond understanding the business impact of a breach, CEOs and other executives, play a critical part in the actual response process. HPE’s Kawalec identified two roles they play. The first is preparation, specifically ensuring that the organization has a “mature” incident response plan that outlines who to call, what to ask, and what to do during a breach.

According to The CEO’s Guide to Cyberbreach Response by AT&T, “Incident response is so multifaceted—and so critical—that CEOs must play a leadership role in driving comprehensive response programs across their organizations. They should make incident response an investment and operational priority to see to it that any damages caused by a major breach are kept to a minimum.”

Mickey Tripathi, CEO and president of Massachusetts eHealth Collaborative, agreed. His company suffered a significant breach in 2011 when a thief stole a laptop containing the unencrypted information of more than 13,000 patients. “You’ve got to stop and find a seriously dedicated senior level person to take ahold of the problem,” he said during the recent HIMSS and Healthcare IT News Privacy & Security Forum in Boston. That senior manager will lead IT and make the breach its number-one priority, he said. This is the most important part to minimizing damage from a breach.

The Voice of the Company

The second role, according to Kawalec, is “in-progress crisis handling,” which includes public relations. “The organization will need someone to stand up and be very honest and open early in the news cycle. The best person to do that is the chief executive,” he said.

Being “honest and open” about a breach can be difficult, however. Yahoo, for instance, has been criticized about its response. Even after its “mega-breach” in which one billion user accounts were hacked, the company’s CEO Marissa Mayer has yet to come forward. This may be because there are still “unknowns” about the breach, such as how the hacker gained access into Yahoo’s systems, Shuman Ghosemaumder, chief technology officer of Shape Security, told NBC News.

“As CEO, one of the difficulties in issuing any sort of statement is making sure you have enough of the facts so you can portray the situation in the most factual and positive light,” he said. “But when you don’t know how the attacker got in, it is difficult to say your systems are protected.”

Tripathi also agreed, recommending that an organization shouldn’t over-inform external parties, since the initial “facts” are often wrong and will have to be corrected. Also, if an organization states that it doesn’t yet know what happened could antagonize other hackers while the organization is still fixing the exposure.

Prepare Now, Succeed Later

During a breach crisis, life at the top is stressful. But experts agree that advance preparation, such as an effective incident response plan, can help leaders and their organizations weather the data breach storm. As Arnold Glasow said, “One of the tests of leadership is the ability to recognize a problem before it becomes an emergency.”

Report: When a data breach strikes, what’s the best way to respond?