Beyond the Boom

Effective decision making is crucial to managing crises and has the potential to impact the organisation and broader community.


Weathering the storm… Leaders need to display confidence and assure their internal stakeholders in times of crisis. 


In a data-as-currency world, one aspect that is constantly under the spotlight is security. While utilisation of modern technology promises limitless potential, there are many causes for concern. High-profile data breaches are cropping up with alarming regularity, affecting millions; CEOs of large corporations are pressured and grilled by lawmakers with questions such as “How could your security be so lax” and “Why did you respond so slowly”. These nightmarish experiences unfold because companies channel resources into detection and prevention but not enough into response and remediation. 


Understanding Breach Timeline

In any given 24-month period, a business has a one-in-four chance of being hit by a significant threat.1 Yet, recent high-profile security compromises have proved that many are ill-prepared to deal with a major security incident. In fact, a study from the Ponemon Institute found that 75% of organisations don’t have an incident response plan applied consistently across the organisation.2

During the lifecycle of a security breach, several critical events happen. The first event is the point when a breach occurs. The second is when data has been taken or destroyed. The third is when the breach is discovered (either by external or internal parties). And the fourth is when the breach is made public. When it comes to incident response, each of these points in the timeline is colloquially called “boom” events. However, we are assuming here that the boom event is the point when the breach hits the media and the company loses control of the story.

Although the news media often focuses on the event itself, breaches often span many months. Before the breach is disclosed or discovered is termed the “left of boom.” During this time, cyber thieves are taking credentials, gaining deeper access, stealing data to be monetised, targeting key intellectual property or preparing a destructive attack. Often, the bad guys have infiltrated long before anyone realises they’ve even accessed the systems. For the organisation, activities to the left of the boom can include security planning and implementing tools for detection.

Everything to the “right of boom” is about responding and dealing with the fact that a security breach is now known. In the past, most organisations focused their attention on the left of boom, not the right, yet both sides of the timeline are important. 



Angry calls from customers and persistent reporters can unnerve anyone and evoke unintentional responses.


Making Better Decisions During Booms

During a boom event, an organisation has the opportunity to respond well, fumble or completely lose control of its response. When a security breach or cyberattack happens, executives need to drive effective response. They must quickly instil confidence to their customers and other stakeholders that they are pulling out all the stops to resolve it. 

For many people in the C-suite, this fast, intuitive response doesn’t come naturally. Although they might know what to do technically to manage a breach, they often aren’t prepared to cope with the human side of the equation. In a crisis situation, the C-suite is up against a human adversary, which can be unnerving. Phone calls from angry customers and opportunistic reporters can catch them off-guard. 

“...companies channel resources into detection and prevention but not enough into response and remediation.”

However, doing nothing is worse than taking some action, even if it’s not the right one in the long run. When a cyberattack occurs, the one thing you don’t have is time. Executives and members of the security team need to be able to filter the available information and put it in context, to quickly make the best decision. 

Borrowing a principle originally developed b military strategists, organisations often must “observe, orient, decide and act.” Looping through this sequence encourages iteration. The idea is that if you can go through the loop more quickly than whatever you’re up against, you gain an advantage. By conducting a series of responses, you can harmonise efforts so responses are active. No decision has to be final, and making small mistakes is considered better than inaction and silence. 


 Remember, action is better than inaction when it comes to crisis management. 


Acting to the Right of the Boom

The period to the right of boom involves not only mitigating the damage from an attack, but also managing the court of public opinion after customers and the media find out what happened. What happens to the right of the boom can dictate the future of a company. During the crisis, executives need to display seasoned leadership, so it doesn’t look like the organisation is trying to hide something. 

The ability to make decisions quickly is critical during and after a cyberattack or security breach. Through our research, we have found that the top cybersecurity challenge today and in the near future is to reduce average response and resolution times.3 To handle an incident quickly, organisations don’t just need procedures, they also need to practice their responses, so they become automatic.


Why Simulations Work?

In a life-or-death situation – say a heart attack – you would want the person giving your chest compressions to be someone who has practised CPR on a dummy and developed muscle memory. That person who has practiced and rehearsed could save your life because he or she performed CPR before, even if it wasn’t on a live human being.

In much the same way, executives need to understand more than crisis-response theory. They need to practice their responses so they know what to anticipate during actual security events. There’s no substitute for real-life, hands-on experience, and simulation lets you practice what to do in a given situation. With simulations, you can experience the unexpected in a controlled environment and see how you respond, and then try it again to improve your response. Imagine if you could experience a cyber breach simulation much like a pilot goes into a flight simulator to learn how to best handle emergencies.

The key to simulating a security event is to make it as realistic as possible, so people learn to work together. With a simulation, everyone from the security team, to communications and PR professionals, to the CEO can find out what it is truly like to experience a cyber attack. This type of immersive security experience can be used to test and improve employee skills, security processes and leadership across the organisation. In addition to helping people cope with the event itself and the repercussions to the right of boom, going through a simulation can help executives and leaders develop better strategic long-term actions based on real events and experiences.




Leverage people from different backgrounds as some are practised in making decisions under pressure. 

 

Improving Responses

When a crisis arises, there is no substitute for planning and rehearsal. Once people have experienced a simulated cyberattack, they gain the confidence to exercise leadership and quick- thinking when the real thing happens. The best responses focus first on protecting the safety of employees and customers, then data and, finally, the company’s brand. It’s not a matter of if a crisis will occur, but when, so take a moment to consider these issues as you move forward:

When it comes to incident response, is our organisation practising what we planned? Do we have a feedback cycle to incorporate the lessons we have learned?

Do we have the right skills? What muscles do we need to exercise more?

Does my executive team know the critical actions and decisions they need to make immediately after an intrusion is discovered?


Key lessons & Recommendations

Following extensive experience running hundreds of simulations with a range of clients globally, we have synthesised three key lessons:

  • Lead with the outcome. A good security culture is crucial. It needs to protect the brand, reputation and future of the company. Part of that culture is, during an incident, having a clear “commander’s intent” that is broadly communicated and understood. What does success look like in a security crisis?
  • Move past paper into reality. It is not enough to have detailed security plans and run books. What might look great on paper, tends to crumble when pressure is applied. Without regularly using and honing skills, muscle memory weakens. The entire organisation needs to...
  • Leverage different backgrounds. People with backgrounds in emergency medicine and the military usually do much better in security simulations than their colleagues with more traditional business or technology backgrounds. Because these people are used to constantly practising, planning and preparing for many different situations, they are used to making quick decisions under pressure.



Experts on this topic

Caleb Barlow
Vice President, IBM Security, XForce Threat Intelligence


Christopher Crummey
Executive Director X-Force Command Cyber Range 

The IBM Institute for Business Value uses data-driven research and expert analysis to deliver thought-provoking insights to leaders on the emerging trends that will determine future success. For more information, please email iibv@us.ibm.com


Notes and sources
1 Ponemon Institute. “2016 Cost of Data Breach Study: Global Analysis.” Benchmark research sponsored by IBM Independently conducted by Ponemon Institute LLC. 2016. http://www-01.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=SEL03094WWEN
2 Ponemon Institute and IBM. “The 2016 Cyber Resilient Organization.” 2016. http://info.resilientsystems.com/ponemon-institute-study-the-2016-cyber-resilient- organization
3 “Cybersecurity in the cognitive era: Priming your digital immune system”, IBM Institute for Business Value, November 2016