Governance

Crisis Leadership: How to Survive Recovering from an Information Security Disaster
Bob Carr, CEO of Heartland Payment Systems, recalls exactly how he felt when he first learned his company had suffered the biggest data breach ever reported - an estimated 130 million debit and credit cards compromised by hackers in 2008.

"I just couldn't believe it happened to us, of all companies," says Carr in a recent interview. "We were so focused on security at all times."

Following the historic breach, Heartland received heavy media attention, public scrutiny, financial penalties and even a series of class action lawsuits. Through it all, however, Carr and his executive team, including CIO Steven Elefant, were determined to be open about the incident and their response. "Our approach was: Be candid about this; tell the truth," Carr says.

The Heartland executives reached out to peers and took their disaster as an opportunity to increase security awareness for the industry by advocating measures such as end-to-end encryption to secure transactions.

More than 18 months later, Heartland has settled most of its legal issues, and the company and its leaders have risen to the forefront of the movement to improve payments security.

"It has certainly been a challenging year, but I think for the most part we have looked at this as an opportunity to really increase security for the industry and embrace openness so that this does not happen to others," says Elefant.

Leaders on the Line

The Heartland case is a prime example of how information security incidents can impact an organization's reputation - and define a leader.

"The problem that Heartland faced could be with any organization," says Marcus Ranum, chief security officer at Tenable Network Security. "The difference is how well the leaders took action and responded to the industry and its customers."

Elefant had initially joined Heartland as a consultant and soon after the breach was invited by Carr to join the company fulltime as the CIO to help deal with the response plan. He could have simply taken the easy route by saying no, but instead chose to take ownership of the issue and ensure that the right steps were taken to keep the company and customers safe.

For many leaders such as Elefant and Carr, these incidents absolutely can change their careers.

"Anything related to an IT security program that causes the organization embarrassment and bad media coverage of any kind directly relates to and affects the security leader's standing," says Patrick D. Howard, chief information security officer (CISO) at the U.S. Nuclear Regulatory Commission. "It can affect a leader's reputation."

According to Alysa Hutnik, a partner with Washington, D.C.-based law firm Kelly Drye, "The reputation today is largely defined by how a security leader responds to and handles a crises situation. Do they take ownership and grasp the significance of the issue?"

The consequence really depends on the magnitude of the incident and what caused it to happen. "In most cases the security leader gets the benefit of doubt when something goes wrong despite all due diligence," says Howard. "More often than not, the action is largely dependent on how the leader responds to the incident and repairs the damage caused."

Therefore, the security leader needs to be prepared to answer senior management's questions about what happened. It's important, then, to collect as many of the pertinent facts about the incident as soon as possible, to avoid speculation.

Every agency is living through the same threats and issues today, "but the difference is strongly dictated by how leaders respond, how they take ownership and are forthcoming about reporting them," Howard says.

Tips from Leaders

Here are five tips for security leaders to follow as part of their reputational damage control and due diligence:

1. Be Engaged -- Be hands-on and get a better understanding of the system and data owners. Know what information needs to be verified. Know what information must be monitored and what questions to ask team members on a daily basis, including:

  • What is the security posture of the IT security infrastructure components?
  • How recently, if ever, was it assessed for vulnerabilities?
  • What are the different types of vulnerabilities found? How critical are they, and what risks they pose?
  • How will applications and data processes be impacted as a result?
  • What alerts are currently generated by the existing security infrastructure components?

One must address the risk potential and exposure before the incident and explore different options to take a holistic, common sense approach in the remediation plan, says Hutnik. For instance, leaders often focus only on their internal storage and processing of data -- totally overlooking how their data is being handled and protected by vendors and third parties.

"The key for a leader is to know what information to ask and seek from their team," says Ranum. "There should be no room for surprises in the security program a leader manages."

2. Seek In-House Counsel -- Invest in legal counsel to understand the legal ramifications an incident can cause, and get sound advice from lawyers to understand issues related to litigation, data breach notification and an effective response plan. For example, one should assign an incident response team member to consult with the legal team regularly to find out answers to questions such as "Who has the authority to make decisions that could affect the company's overall business, such as pulling a critical system offline in the event of an incident?"

3. Establish Rapport with Management -- Chief security officers and other leaders need to ensure they have the senior management backing and support to help them in their security initiatives. Involve management on a regular basis in key decisions and seek their input in major policies and programs impacting the organization. "The reliance and trust factor needs to be high to keep doors open especially during a crisis," says Howard.

4. Possess Leadership Aptitude -- "True leadership skills get tested in such situations," says Hutnik. One should be confident and willing to take ownership for the incident, as well as comprehensive steps to be clear, decisive and honest. Be able to say: "Here's what we know, what we don't know; this is what we are finding out; this is how we are keeping our customers and partners informed; and these are the steps we are taking to fix the issue." Says Ranum: "Leaders should be honest and reach out to the community to not make it look like a cover-up operation."

5. Have a Sound Response Plan -- A good incident response plan is really significant to handling a crisis situation. Leaders should ensure that they and management are part of the response team and play an active role in identifying the taskforce, processes and policies involved. "What is routine to you can be very critical to them," says Howard.

Security leaders should rely on expert professionals that have the experience to handle the incident response process and constantly update the team about unusual activities involved. The leader should know the taskforce and include key members from critical functions, including business, media, legal, press, IT security and HR to cover all fronts. They should devise brief concise policy for each team member and collaboratively to ensure the team knows how to function, communicate when such an event occurs.

It's About Details

Often leaders focus their efforts on making sure the right tools are in place, the right hardware and software is procured "What gets missed is attention to the human and process side of things," says Ranum. "Leaders cannot assume that people know what to do next. All details need to be part of the plan."

Examples of the details: What mechanisms will the team use to communicate when handling the incident? Who will interface with legal, executive, public relations and other relevant internal teams? What groups or organizations were affected by the incident? Are they all aware of the incident?

"We as leaders have to figure that no matter how good we are at keeping the bad guys out, at some point, or in some way, they're going to get into part of our system," says Heartland's Elefant. "What we need is to focus in making the data unusable -- then it won't be worth anything to them. It's the reverse Rumpelstiltskin; it's turning gold into straw."


About the Author

Upasana Gupta

Upasana Gupta

Contributing Editor, CareersInfoSecurity

Upasana Gupta oversees CareersInfoSecurity and shepherds career and leadership coverage for all Information Security Media Group's media properties. She regularly writes on career topics and speaks to senior executives on a wide-range of subjects, including security leadership, privacy, risk management, application security and fraud. She also helps produce podcasts and is instrumental in the global expansion of ISMG websites by recruiting international information security and risk experts to contribute content, including blogs. Upasana previously served as a resource manager focusing on hiring, recruiting and human resources at Icons Inc., an IT security advisory firm affiliated with ISMG. She holds an MBA in human resources from Maharishi University of Management, Fairfield, Iowa.




Around the Network