How to Control the Message with Commander’s Intent During Cyber Crises | Limor Kessem
Interested in sponsoring an episode like this with your target buyer?
→ Reserve your sponsorship here. ($2,575)
Guest at a Glance:
💡 Name: Limor Sylvie Kessem
💡 What she does: Limor is Principal Consultant for Cyber Crisis Management. She helps organizations build and improve their cyber crisis response.
💡 Noteworthy: She is also a fellow podcaster, speaker and author; she lives in Israel with her beautiful family (her daughter is adorable) and the place she calls her second home has a maple leaf on its flag. 🇨🇦
What is a crisis-level cyberattack?
If we look at what kind of cyber-related incidents we can have, we'll probably have a pyramid of some sort. At the bottom, that's going to be your everyday stuff, like users doing stuff they shouldn't be doing, or little incidents from the SIEM, etc.
Then you go up a bit, every time you go up in the pyramid, you'll get into a worse incident, until a level is reached where your cybersecurity team and CISO have exhausted their capacity to effectively control the dynamics of the situation.
There’s a tipping point where a cyber-attack becomes a whole-of-business crisis. Meaning, the business itself is now at risk. Information about the attack has spilt into the media. Reporters are waiting outside, or calling in, they're talking to the CEO, the CFO just got an extortion letter - all these things can happen at once and call the entire executive team into the picture.
The board is calling and saying, ‘okay, what the hell's going on here? What are you guys dealing with there? Give us the details.’
“A crisis-level cyber attack involves the entirety of an organization. It can damage reputation and brand, disrupt or halt delivery of products and services, and expose customer and employee private information. At their worst, these attacks can cripple an organization permanently.”
“Everybody's confused. It's chaos. It's a lot of stress.
And if a company is not prepared for it, and we've seen this in the media time and time again, even for really big companies, they're not prepared, they're saying things they shouldn't say, they're not informing customers on time, it becomes crazy.
And that's what we're trying to prevent for organizations with cyber crisis management.”
What is cyber crisis management?
Cyber crisis management is a nimble "whole-of-business" response that allows an organization and its executive team to respond effectively, lead the charge, and work in unison—not in silos” to manage a crisis-level cyberattack.
Limor and her team speak to those executive teams. She prepares them and integrates into organizations.
“We integrate to business continuity. We integrate into communications, to finance, to functional teams that would need to support the overall effort. Everybody has a role. They need to know it. They need a checklist. They need a plan. They need a playbook. All those things are what we do at cyber crisis management. So, it's not essentially strictly for the CISO of the organization. It's across the whole C-suite, around it, and even the board.”
Is cybersecurity resilience the same as preparedness?
Limor believes it's more than preparedness.
Cybersecurity resilience requires you, as a human, to have everything under control as much as possible.
“I was a speaker for the Cost of a Data Breach Report that IBM releases every year. And the total of all attacks was just human error and glitches. Things that we have control over. And so that's why I say, to the extent that we do have control, we want to have that control a little more. If almost half of the attacks are not even caused by anybody malicious or any external party, then we have a lot of control. Can we reduce the possibility of an attack by half?
For organizations, they are dealing with nation state attackers coming from adversarial nations.
“That is your biggest worry. That's what you gotta prepare for. And you're going to have to really be a lot more risk-averse in that sense, than somebody selling something, right? What surprises me time and again is how at the end of the day, we'll end up seeing very well known companies, even security companies, be caught quite unprepared and, you know, it amazes me. I'm like, there's no way they did it this way. They know how things should go.”
How organizations can be more cyber resilient:
- Meeting the adversary with the right tool set.
- Provide your employees with the proper awareness
- Actually do awareness campaigns and role-based education
- Have playbooks, scenarios, and simulations that are drilled every year
“Live the security inside the organization. Cyber security is no longer some sort of a nice-to-have. It’s a business enabler. You can’t buy a plan and shelf it. Some organizations do that, they tick a box, but they never drill it. They never read it. They never looked at it. Then they can find themselves reading it for the first time when they're in a crisis. And you know what, with enough pressure, a lot of things will crumble and if you never stress tested it, that can spell trouble.
Here’s an everyday example: You go to your CPR class, you learn CPR, but you never tried it on the dummy. You don't know what it feels like, how it looks like, you never did a simulated crisis situation. But then when you see a semi dead-person now you want to do great. It could go well, but it mostly won't go well.”
3 Ways Go-to-Market Teams Can Be More Cyber Resilient in Organizations to Absorb Risk
1. Develop Boundaries as a Human Being
“Resilience” in our domain comes in a number of layers.
Personal resilience: You have to take care of yourself in order to become more resilient and withstand everything that is happening, not only in your organization and life, but in the world.
We have to take care of ourselves and set boundaries.
There are people in security companies who are utilized at well over 100%, and that’s a sure way to burn out a workforce that’s already scarce and hard to recruit.
Boundaries are correlated to healthy levels of assertiveness
You have to use assertiveness to communicate your boundaries.
Boundaries are your way to communicating how you want to live a healthy and fulfilling life. Especially when it comes to working.
So, when we don't say "no" and when we don't have boundaries, you keep piling up, and you keep accepting stress.
It reduces the quality of our work. It depletes us and the customer will feel it.
Ultimately the reputation of your organization will suffer and then you will get blamed.
And all you're trying to do is help and do more and do more and do more.
It's not going to be fun; it might be fun perhaps the first month, but after that, it's a drag.
2. Remain Curious and Hungry to Learn in Your Role to Reduce Your Burnout
Limor recommends marketers, particularly product marketers, PR teams, and salespeople to stay on top of high-level technicalities in the cybersecurity space.
“They're not going to be in the trenches of the sea, but their resilience to remain in that role is probably becoming less and less over time. So to keep learning, keep staying close to the more technical executives and understanding what's going on.”
3. Support Educational and Awareness Campaigns to Counter Cybersecurity Risk to the Entire Organization
Your knowledge as an employee can be used to the benefit of the company when it comes to crises because good marketers will stay close to what is going on in the market and will attain a special view that other C-Suite executives may not have.
“Their focus is different. Of course, they'll have it to a certain extent because they have to stay competitive.
But I think this is where the edge can come from marketing to the rest of the business and be educational or support educational efforts, support the CISO and awareness campaigns.
I find that's super helpful to, for the whole entire organization to be able to counter risk a little.”
What can cybersecurity vendors do to reduce these crises that are happening?
- Do right by the customers
- Report within the relevant amount of time (ASAP!)
- Allow victimized organizations to run their own incident response
- Allow them to understand what's going on
- Do not hide anything from them
- Be prepared to be in front of the media and to speak to them in a thought out manner
- Have everything planned ahead of time to avoid blunders later in the media and in every other aspect
“I always tell our customers: “everything that happens inside your organization during a crisis is good and dandy. And I'm really happy that you do it super well. But what you're going to be judged on is how it looks in the media. And if you don't control that message and you don't say the things that you really want to tell your customers and, you know, throw some stressed out response, then you're going to end up losing so much money. And so many problems are going to come from that response more than anything you're doing under the hood.”
Controlling the message with commander’s intent
What does a controlled message of a crisis look like and how can vendors and PR teams within those vendors and organizations create more meaningful messages that impact the industry positively?
“When somebody, any kind of human being is put under a ton of stress, it's very sudden and before they even know what's going on, they get a call from a reporter or from even a regulator. It doesn't matter who. They're put in front of a camera, they fumble, right? They might fumble probably will, unless they're super experienced in speaking to the media.
Everybody's stressing them out, waiting for them to say something and I've seen it. I've seen it so many times.”
What is the commander's intent?
“That means that the company sits together with the CEO, with the CISO, with everybody that manages risk for them, with the comms team, with the PR team, all those important people that shape the message all the time. And I want them to think about, what is the most meaningful thing for us?
Commander's intent allows everybody across the world, it doesn't matter whether the CEO is available or not available, is on a flight, is in a meeting. Everybody knows what to do.”
Look at this great video that explains what commander’s intent means:
“Do right by the customer.
We'll pay all costs. Period.
That's the stuff I want them to talk about in advance and decide there.
Or if they say we will not pay a ransom to cyber criminals, period. If somebody's life is at risk, we will pay up to $5 million.
I want them to think about it in advance and even when the time comes and they have to make other decisions, they still have the core understanding of what they decided in advance. The CFO or whoever is not around, there are pre-approvals, pre-authorizations in place already.
Their comms team already has an idea that was approved by everybody, by legal, by all the important people that have to be in the room of if a breach was to hit now, I don't have to wait.
Within 30 minutes, they have a standing statement and they’re going to say ABC, they’re going to get the information from this person and here's their phone number, their email address. Here's their delegate. Here's the other delegate.
And they’re going to get that information from them. And then they’re going to put out this statement and it's gonna be a good statement that was approved in advance.
That's what I mean about controlling the message.
I don't want them fumbling in front of cameras or trying to, you know, scramble to understand things.
And they don't know who to call and they don't know who to go to. This person said that the other person said that I wanted to have a straight up seed document with all the information from their technical team. Let's just organize the chaos because there's chaos.”
Two High-Profile Examples of Cyber Crisis Management That Went Awry
A special thank you to Limor who kindly shared the below insights from her repository of poor examples that could have been improved with a healthy cyber crisis management program.
The Equifax Breach
- Time was a major factor and a lot went wrong in the first 48 hours. Instead of a well-planned response, the breach turned into a scandal.
- Equifax waited 6 weeks before it announced the breach.
- Behind the scenes, three top executives sold millions of dollars’ worth of stock during the time between when the company said it discovered the breach and when it notified the public and investors.
- In the weeks since Equifax disclosed the breach, the company's official Twitter account has mistakenly tweeted a phishing link four times, instead of the company's actual breach response page. That website eventually led to a widespread phishing campaign on victims looking for help.
- Credit monitoring, which was the central way Equifax planned to help victims, was not available to those impacted. Instead, they were told to "check back later" and had to agree to start paying for the protection after an initial trial, waving their right to partake in a class action suit. This brought even more scrutiny to Equifax.
“No company would wanna go through that. And as big as they are, something like that is so impactful that, you know, if a response strategy was really prepared in advance, and that resilience was in place, controlling the message and also the activities that followed would've cost them a lot less in every possible aspect, especially the eventual damage to customers and people whose data was lost.”
The Uber Breach
- A few years back, Uber allegedly decided to conceal a major data breach. They did not report to victims nor to authorities although 57 million people were affected.
- Uber paid hackers $100,000 to delete the stolen info and keep their breach a secret. They supposedly hoped to cover it as a “bug bounty” but that did not convince the regulator or the public. More on that here.
- Later on, reports said thousands of leaked files have exposed how Uber courted top politicians and how far it went to avoid justice. Uber allegedly broke laws, duped police and secretly lobbied governments, leak reveals. More on that here and here.
- Further decisions to hide data from investigators are believed to be intentional. More on that here.
“So, it helps to really think about those decisions in advance and not under a lot of stress, where humans are bound to take risks they would not otherwise consider. What's going to happen if you do that? Will it eventually be found out? Are you willing to take that kind of a risk? Are you willing to now have lost your job, be the executive known for that kind of ordeal? I don't think anybody wants that. And I think that good preparation and consensus through the entire C-suite can be helpful.”
Interested in sponsoring an episode like this with your target buyer?
→ Reserve your sponsorship here. ($2,575)
Subscribe to Audience 1st
Get notified every time an episode drops to better understand your audience and turn them into loyal customers.