Cyber security What You Must Know to Talk about a Data Breach

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://ww2.cfo.com/cyber-security-technology/2015/06/must-know-talk-data-breach/

As a CFO, you are a top strategic partner to the board and the CEO. You are
a de facto risk manager and communications specialist with a focus on the
bottom line. Finance executives have an evolving role, and are more than
ever concerned with new reputational risks — especially those related to IT
security and data breaches, topics that are critical, emerging, and can be
heavily complex and nuanced.

In particular, customer responses after a data breach can have unexpected,
adverse consequences to an organization, a risk that has played out
publicly numerous times.

Preparation — well before an incident occurs — can make all the difference
in a later outcome. The governance of your cybersecurity program, the
adherence to well-trod frameworks, and the creation of actionable,
trackable metrics are key components of preparing for a breach or other
public information security incident.

But what about your personal preparation? How can you be ready, in your own
role as a risk manager and communicator, to talk simply about a data breach
with investors, employees, your board, and your customers?

The quick exercise below can help. The goal will be to strip away the
complexity around information security and keep your focus on the “bottom
line” for the organization. Out of this exercise you can create a one-page
reference point that can serve as your basis for a host of conversations
around cybersecurity, before, during, or after a breach occurs.

What Do You Know?

If you feel your understanding of cybersecurity or data protection is not
strong, start with an area where you surely are strong: your customer base.

Who among your customers would be most affected by a data breach? How do
they consume information from you today — by mail, email, newsletters,
through call centers, through social media? What are their primary concerns
— are they individuals afraid of losing money or of their credit being
affected, or are they institutions that are more concerned with
reputational and regulatory risks?

If you provide services to a broad base of individual customers, your
audience may be very diverse and consume a wide range of media, from print
publications to Twitter and Facebook.

If you work in a business-to-business capacity providing third-party
services to companies, you may also have a network of relationship managers
who can contact important clients in a variety of ways. If you provide
investor services, broker-dealer services, or pension management, your
audience may have especially nuanced needs and require high-touch outreach.
Finally, depending on your role, you may also consider your internal
employees, the board of directors, or the CEO to be your “customers.”

Once you have sketched out a brief customer profile, you can also begin to
understand the top concerns of those customers. Consider some of the
communications vehicles that could be used in a cybersecurity event, and
how you would reach out to and reassure these important individuals.

Finding the Communications Stakeholders

Now that you have a strong understanding of your audience, it is important
to understand what kind of cybersecurity messaging already exists in your
organization.

Make contact with your cybersecurity or information risk lead, in-house
legal counsel, internal or external communications specialist, and any
other client-facing communications specialist you may work with on a
regular basis (investor relations, media relations, customer relations,
compliance, etc.).

Ask these individuals how they view their respective roles in communicating
about a data breach. Be mindful that depending on your organizational
structure, there may be multiple plans and multiple templates. Or, if your
company is not particularly mature in this space — if it is new to having
an information security program, for instance — they may not have any
communications in place. Further, regardless of the maturity of your
organization, there may not be a strong understanding of who would take the
lead in such a response, or of everyone’s roles and responsibilities.

If communications do not exist, ask your information security and
communications leads to work together on creating a one-page “what if”
response that could be used as a basis for any adverse information security
event. If communications do exist, make note of who provides oversight and
review of the existing documents, and ensure they reflect your
understanding of the client concerns your business would face. Review any
drafts and ensure a wide range of stakeholders and senior leaders have seen
them, as you see fit.

What Is the CFO’s Role?

Now that you have clearly established your customers’ worldview on data
breaches and gained a better understanding of how your company is prepared
to talk about a cybersecurity incident, turn the focus back to your own
readiness.

In the event of a breach, given all you know now, how would you personally
be asked to respond? Could you speak competently to your management team,
those in the executive layer, and members of the board about any concerns
they may have?

Questions around cybersecurity insurance, anticipated consequences to
financial filings, estimated costs of remediation (by providing credit
monitoring for victims, for example), and concerns of reputational risk all
may be on the table. You know the audience best — write out their
anticipated questions, and how you would answer them. If there are gaps in
your understanding, fill them with the help of the cybersecurity, IT risk,
legal, and communications stakeholders you have already consulted.

With their help and these new insights, you now have the ability to create
a baseline set of talking points that can help you articulate your
customers’ needs and your company’s capabilities and readiness if and when
the time comes.

A Critical Dialogue

An exercise like this one is by no means meant as a fix to programmatic
difficulties or a lack of reporting in the information security space. But
it does open up a critical dialogue. On the one hand, your conversations
will allow your stakeholders to quickly take stock of how you view the
reputational risk of a data breach, versus how they view that risk. The
conversations will also highlight some of the roles technology and
non-technology leaders will play when a data breach occurs. And, it is
important to remember that a communications response, as outlined in this
exercise, is just a single part of wider preparatory activities that go
hand in hand with creating a robust information security program.

Cybersecurity as a practice has been around for decades. Just as your IT
security professional may not be able to tell you the morning LIBOR rate,
you will not be expected to explain the technical details of a data breach.
But what will be expected of you increasingly is the ability to have a more
sophisticated dialogue about how cybersecurity matters affect your clients
and your firm, what is changing, and how your company governs and manages
the cyber risk. This is one important step to reaching that sophistication.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!