[BreachExchange] CISO’s guide to an effective post-incident board report

[Destry Winant]

https://www.helpnetsecurity.com/2019/02/21/post-incident-board-report/

A successful cyberattack is undoubtedly one of the most disruptive
events an organization can experience. Whether it’s phishing, DDoS,
ransomware or SQL injection, the incident often results in major
service failures and potentially massive revenue loss, as well as
damage to brand reputation and customer trust.

As CISO, you are charged not just with overseeing the response and
mitigation processes post-breach but also with assembling all relevant
information in a post-incident report to the board. Indeed, this is
the most critical and immediate task a CISO must perform after
investigating and containing a security incident.

To discover the dos and don’ts of how to handle the aftermath of a
cyberattack, CISOs can look to the recent Marriott (do) and British
Airways (don’t) post-breach responses. What these two companies did or
didn’t do can inspire how CISOs approach the post-incident board
report – including what information to relay, how to present it and,
most important, what lessons were learned.

Step 1 – Presenting the incident: describing the event’s breakdown

- Provide a step-by-step breakdown of what happened, why the incident
occurred, which weaknesses enabled it, and why these weaknesses exist.
- Consider the weaknesses in the company’s response and the initial
failure that allowed the incident.
- Comment on the security weaknesses that were exploited during the incident.
- Address relevant security weaknesses that will pique the board’s
interest as an opportunity to rectify these weaknesses.
- Focus on remediation, rather than attributing blame.

Step 2 – Presenting the executive summary

Your goal is to give board members the information that ensures their
understanding of the incident so the discussion that follows will
focus on discovering vulnerabilities, mapping key assets, determining
how they were impacted, and resolving how to protect the organization
in the future. Use high-level information to set the context for your
discussion and then discuss how the information will be presented to
the public.

Begin by naming the business units and processes involved and the
information assets compromised, such as:

- Business unit and processes involved – digital banking system.
- Information assets compromised – PII database.

Explain both the current business impact and the future anticipated
consequences:

- Current impact – 40 percent of our users have been impacted.
- Anticipated – customer defection, lost market share.

Describe what factors allowed the incident to happen – the exploited
elements and the root cause for their vulnerabilities:

- Exploited elements – customer database.
- Reason for vulnerability – process flaws, technical deficiencies.

Demonstrate which immediate actions you took and responses you plan to
make to mitigate damage and ensure recovery. Example:

- Immediate actions – recommend to customers to change credentials,
upgrade software versions.
- Planned actions – change of controls, upgrade defense systems,
invest in IT and appropriate threat detection and response solutions.

Step 3 – Learning from the breach

Cyberattacks are now whens, not ifs. When it does happen, the entire
organization – from boardroom to backroom – has to treat this as a
learning experience. Cybercriminals and hackers profit from data
breaches; they will continue to target organizations. As long as
fallible humans use digital systems, they will make mistakes and be
victims of malware attacks.

It’s important to review how your organization was breached so that
subsequent employee training and vigilance can incorporate those
teaching moments. There’s nothing like learning from experience – the
first time something happens.