Crisis Leadership: How to Survive

Credit EligibleAs a GovInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info

July 30, 2010 - Upasana Gupta, Contributing Editor

Bob Carr, CEO of Heartland Payment Systems, recalls exactly how he felt when he first learned his company had suffered the biggest data breach ever reported - an estimated 130 million debit and credit cards compromised by hackers in 2008.

"I just couldn't believe it happened to us, of all companies," says Carr in a recent interview. "We were so focused on security at all times."

Following the historic breach, Heartland received heavy media attention, public scrutiny, financial penalties and even a series of class action lawsuits. Through it all, however, Carr and his executive team, including CIO Steven Elefant, were determined to be open about the incident and their response. "Our approach was: Be candid about this; tell the truth," Carr says.

The Heartland executives reached out to peers and took their disaster as an opportunity to increase security awareness for the industry by advocating measures such as end-to-end encryption to secure transactions.

More than 18 months later, Heartland has settled most of its legal issues, and the company and its leaders have risen to the forefront of the movement to improve payments security.

"It has certainly been a challenging year, but I think for the most part we have looked at this as an opportunity to really increase security for the industry and embrace openness so that this does not happen to others," says Elefant.

Leaders on the Line

The Heartland case is a prime example of how information security incidents can impact an organization's reputation - and define a leader.

"The problem that Heartland faced could be with any organization," says Marcus Ranum, chief security officer at Tenable Network Security. "The difference is how well the leaders took action and responded to the industry and its customers."

Elefant had initially joined Heartland as a consultant and soon after the breach was invited by Carr to join the company fulltime as the CIO to help deal with the response plan. He could have simply taken the easy route by saying no, but instead chose to take ownership of the issue and ensure that the right steps were taken to keep the company and customers safe.

For many leaders such as Elefant and Carr, these incidents absolutely can change their careers.

"Anything related to an IT security program that causes the organization embarrassment and bad media coverage of any kind directly relates to and affects the security leader's standing," says Patrick D. Howard, chief information security officer (CISO) at the U.S. Nuclear Regulatory Commission. "It can affect a leader's reputation."

According to Alysa Hutnik, a partner with Washington, D.C.-based law firm Kelly Drye, "The reputation today is largely defined by how a security leader responds to and handles a crises situation. Do they take ownership and grasp the significance of the issue?"

The consequence really depends on the magnitude of the incident and what caused it to happen. "In most cases the security leader gets the benefit of doubt when something goes wrong despite all due diligence," says Howard. "More often than not, the action is largely dependent on how the leader responds to the incident and repairs the damage caused."

Therefore, the security leader needs to be prepared to answer senior management's questions about what happened. It's important, then, to collect as many of the pertinent facts about the incident as soon as possible, to avoid speculation.

Every agency is living through the same threats and issues today, "but the difference is strongly dictated by how leaders respond, how they take ownership and are forthcoming about reporting them," Howard says.

Tips from Leaders

Here are five tips for security leaders to follow as part of their reputational damage control and due diligence:

1. Be Engaged -- Be hands-on and get a better understanding of the system and data owners. Know what information needs to be verified. Know what information must be monitored and what questions to ask team members on a daily basis, including:

• What is the security posture of the IT security infrastructure components?
• How recently, if ever, was it assessed for vulnerabilities?
• What are the different types of vulnerabilities found? How critical are they, and what risks they pose?
• How will applications and data processes be impacted as a result?
• What alerts are currently generated by the existing security infrastructure components?