After a cybersecurity incident, organizations face intense scrutiny from regulators, customers and others. But successful recovery requires more than just technical fixes — it demands coordinated leadership across the C-suite and board. Todd Renner and Frank Damm of FTI Consulting explore how senior leaders in every role can help rebuild both security and trust after a breach.
In the aftermath of a cybersecurity incident, stakeholders — including media, government regulators and law enforcement, Wall Street, third parties, customers, employees and legal teams — watch the affected organization closely, scrutinizing what might have gone wrong, how remediation is handled and what the organization implements to mitigate future cyber risk.
This heightened attention can be accompanied by public distrust and financial loss, regulatory enforcement actions and costly litigation. To help protect against these serious impacts, it is critical for organizations to rehearse their plan for handling cyber incidents and prioritize the recovery phase of incident response to rebuild, secure and improve their corporate resiliency.
Cybersecurity is no longer the sole responsibility of technical teams; senior leaders should be actively involved in preparation and planning to mitigate the risks and create a collaborative cybersecurity culture from the top down. An effective program should involve rebuilding and enhancing cybersecurity and cyber risk management programs with guidance and buy-in from key stakeholders across the board, C-suite and all relevant business units.
Senior leadership perspectives by role
Following a cybersecurity incident, each member of the senior leadership team and other organizational stakeholders have unique responsibilities. Unfortunately, senior leaders frequently learn of the importance of their role in cybersecurity only after an incident has occurred.
When leaders understand their roles before an incident, they can seamlessly and efficiently work together to minimize the negative effects of an incident and enhance cybersecurity resilience moving forward. Explicitly determining expectations of various leadership roles and how they work in unison is a meaningful step on the path to establishing trust and building a secure enterprise. While not an exhaustive list, below is a sampling of key leadership positions and their respective responsibilities in contributing to rebuilding cybersecurity resilience.
Chief information security officer (CISO)
The CISO is generally responsible for developing the overall cybersecurity strategy. This includes managing a defensive posture to protect the organization from threats, determining how to mitigate cybersecurity risks introduced by third-party vendors and applying any controls needed to achieve compliance with industry, state, and federal cybersecurity regulations and policies. The CISO also provides updates to executive leadership, the board of directors and the rest of the organization on threat intelligence and other emerging risks that could impact the overall organization.
General counsel (GC)
GCs play a role in determining an organization’s risk appetite and need to understand the risk management approach of their organization, as well as overseeing the compliance and audit functions. The GC provides a critical lens into the consequences of poor cybersecurity and can support much of the justification for investment in cybersecurity. This includes mitigating the likelihood and effects of regulatory sanctions, as well as financial loss, reputational harm, personal liability for directors and officers and other material impacts to an organization.
GCs should have a strong grasp of their organization’s cybersecurity capabilities and challenge cybersecurity strategy to help the CISO think critically about and improve the plan in place, supporting tactical enhancements to protect the strategic interests of the organization. This provides a 360-degree view of cybersecurity investment and maintenance within an organization.
Overall, the GC plays an integral role in driving cybersecurity culture across an organization. Internal issues often intersect and overlap between departments and ultimately tie back to cyber and legal risks. GCs can leverage their relationships across the enterprise to conduct workshops with the information security team and each business unit to discuss cyber risks and challenges and to promote the importance of cybersecurity.
Chief trust officer (CTrO)
The CTrO develops and enforces trust frameworks and policies that address cybersecurity across organizational operations. Ahead of a cybersecurity incident, the CTrO should ensure alignment between the cybersecurity strategy and organizational values, policy and response. The CTrO is essential for communicating with key stakeholders regarding the protection of customer information and sharing how the information is being secured in an easy-to-understand manner.
“Maintaining trust with stakeholders throughout a cybersecurity incident is critical for minimizing public fallout and long-term reputational and organizational harm,” says Madelyn Hawkins, a senior director of cybersecurity and data privacy communications at FTI Consulting. “Stakeholders today expect organizations to prepare for the worst — and if the worst happens, to keep them informed at every step of the response. Organizations can reinforce confidence by communicating the steps taken to prepare, secure, and rebuild.”
Chief financial officer (CFO)
The CFO is responsible for allocating resources and creating a budget specific to cybersecurity needs and priorities. The CFO should be an active participant in developing the cybersecurity strategy to ensure it aligns with the overall financial risk management strategy for the organization. The CFO will also work with other senior leaders to assist with required disclosures regarding cybersecurity incidents, such as the mandated disclosure of material incidents to the SEC and sharing plans for cybersecurity strategies. The CFO should be a key partner for understanding capital expenditures and operational costs for cybersecurity tools and personnel.
Board of directors
The board of directors is responsible for ensuring strong cybersecurity and resilience policies are implemented and effective, and that all board members are aware of the organization’s cybersecurity maturity. The board should identify key cybersecurity stakeholders at the organization (from legal, compliance, privacy, security and information technology teams) and involve them in board-level preparedness and response discussions.
This can include an extensive cost and risk analysis that illustrates the extent of financial and reputational losses following an incident compared to the cost of strengthened cybersecurity readiness measures. All board members should maintain a general awareness of organizational culture and practices surrounding cybersecurity risk and data retention.
Board members should participate in regular cybersecurity incident response simulation exercises to ensure all critical teams are prepared to respond in the event of an incident. Organizations should consider adding an experienced information security professional to their board to help respond to a growing range of cybersecurity and governance considerations and provide regular cybersecurity training to all board members. This is especially imperative as legislation around the world, including the NIS2 directive in the EU and the SEC cybersecurity rules in the U.S., has the potential to hold board members personally liable for cybersecurity incidents in the event that organizations are not compliant with regulations.
New EU Rules on Digital Resilience Are Coming Soon; Are You Ready?
Finserv organizations, including some in U.S., and technology vendors face rules around cyber attacks, natural disasters & other disruptions
Read moreDetailsWhat now?
Before and after an incident, organizations must take corrective and preventive action to protect against cybersecurity risks for existing and emerging threats. Maintaining a foundation of essential cybersecurity tools, training and monitoring will minimize the impact of an incident and allow for quicker recovery. Some steps an organization can conduct to rebuild cybersecurity resilience following an incident include:
Conduct regular cybersecurity assessments
Conduct assessments that inform the maturity of security solutions which manage and mitigate cybersecurity risk to an organization’s systems, assets, data and capabilities. This includes program assessments, gap analysis, penetration testing, red-teaming operations and regulatory compliance and reporting assessments.
Identify critical dependencies
Third-party risk management (TPRM) involves identifying critical systems and dependencies with third-party suppliers. TPRM audits help determine how third parties affect organizational cybersecurity risk. Organizations should design effective defense-in-depth solutions to mitigate the identified gaps in prevention, detection and responsibilities.
Understand and map your data
When your data is stolen, it is imperative to know what was stolen and from where. Analyze data mapping to identify the organization’s most sensitive information prior to exfiltration. Develop a plan for increased cybersecurity protection surrounding your “crown jewels,” as they will be the most valuable to, and most targeted by, threat actors. Implementing network segmentation allows security teams to have more control over specific protections in place for valuable data, restricting the ability of a threat actor to easily move laterally throughout the organization’s network.
Know your assets
Identifying, categorizing, controlling and monitoring your assets, including hardware, software, personnel, facilities and locations, is a continuous process to help enhance an organization’s cybersecurity strategy. This aligns with knowing your data and will lead to a more comprehensive and collaborative cybersecurity strategy.
Reevaluate cybersecurity strategy and budget
Once security gaps and valuable data are identified, executive teams should re-evaluate the organization’s cybersecurity strategy moving forward to address vulnerabilities and enhance resilience. This includes updating the budget and allocating dedicated resources to cybersecurity efforts.
Test response and training plans
Organizations should regularly test incident response plans and documentation to evaluate what is effective during an incident and what can be improved. Regularly update the plan according to best practices for your industry and ensure a comprehensive employee cybersecurity training plan is in place to teach cyber risk mitigation tactics, helping mitigate future incidents.
Path forward
An effective cybersecurity resilience plan following an incident should involve rebuilding or enhancing cybersecurity and cyber risk management programs with guidance and buy-in from key stakeholders across the Board, C-suite, and all relevant business units. This plan should not focus solely on patching the attack vector used by the threat actor; remediating what caused the incident should be only a small piece of a holistic plan to mitigate all future cybersecurity risks.
Embedding these improvements into a comprehensive, framework-driven strategy, allows organizations not only to recover from cyber incidents, but also to build a resilient cybersecurity posture going forward. Cybersecurity is a team sport.