Addressing a Breach Starts With Getting Everyone on the Same Page

The best incident-response plans cover contingencies and are fine-tuned in stress tests to ensure collaboration, remediation, and recovery efforts align.

Greg Notch, Chief Information Security Officer, Expel

October 11, 2023

4 Min Read
Tiles with black, closed padlocks; one is red and open, indicating a cyberbreach
Source: Andrii Yalanskyi via Alamy Stock Photo

Cyberattacks continue to rise, with a staggering 38% increase in global incidents last year. Attacks on digital identities are skyrocketing, cloud attacks are increasing, and ransomware continues to plague organizations in every industry. As the threat surface expands and the concept of a network "perimeter" becomes less and less defined, the issue is when a business will be attacked, not if it will be. That means businesses need to think not just in terms of prevention, but mitigation — and that starts with a plan.

Uniting Competing Priorities

There are a lot of competing priorities during a breach. The CFO will be concerned with the financial impact. The CMO and sales teams will be worried about reputation and customer messaging. The CTO, CIO, and other technology leaders will be focused on remediation, business continuity, and future prevention. Waiting until a breach happens to pressure-test the balance between those priorities isn't ideal. That means it's important to make a plan — several plans, in fact:

  • Business continuity plan (IT/finance). This should include specific instructions for recovery from a wide range of potential problems. Is a disaster-recovery process in place? Are there external providers or resources to contact? How can you get in touch with them? Are there backups that can be restored? Where are they, and who owns them? This plan should encompass all the necessary processes to ensure business continuity in the event of an incident.

  • Crisis communications plan (marketing/PR). It's critical to have a plan that defines who is in charge of messaging to internal stakeholders, customers, your board, and the public at large. Uncertainty can lead to confusion, which can make communication less effective and cause additional headaches. It's important to include detailed instructions regarding who the key decision makers are and which teams will have input into those decisions.

  • Incident response plan (security). This plan should detail the steps that security and technology teams need to take to address a potential incident. That means knowing how to identify, contain, and remediate a threat, but it also means knowing how to recover from an incident and apply its lessons in the future. One of the most important steps is to appoint an incident commander to lead the response efforts. This person supports the above plans and is responsible for decisions and communications to other parts of the organization. The CISO should provide oversight, but consult with other security leaders, including the incident commander, as well as third-party experts.

These plans cannot be made in isolation — they need to be aligned with one another, and leaders need to proactively collaborate. Otherwise, competing plans may wind up forcing people to work at cross purposes, creating unintentional conflict. This means it's important to not just draw up plans, but to stress-test them as well.

Testing Your Plans: Tabletops

Tabletop exercises are scenario-based breach simulations. They're usually run internally, though they often involve external consultants who can provide an objective perspective. They may come with a variety of different scenarios, and the exercise is run much like other, traditional tabletop games. An exercise might start with a technology problem and escalate through the PR response to a major breach. It might even get to a point where bankruptcy papers need to be drawn up. It sounds bleak, but knowing what to do in a worst-case scenario is important.

The goal here is to ensure that not only do the individual players know their roles during a security incident, but that they work well together. If there are places where the business recovery plan and incident recovery plan come into conflict, it's important to know that well ahead of time. If there are gaps in coverage where those plans are insufficient, they need to be refined and improved. It's especially important to test the places where communication and collaboration are required. If security controls failed to catch something, it's important to know why. Tabletop exercises help businesses assess their current standing while identifying opportunities to reduce risk and optimize their resources.

People Are as Important as Technology

Security breaches are stressful. There's often significant risk to the business, as well as people's livelihoods, so tensions can run high. People react to times of stress differently, and that's OK — but it's also why it's important to have a plan in place that takes emotion out of the equation by providing clear, step-by-step guidance. Security technology gets most of the attention, but it's important to remember that technology isn't the only — or even the most important — thing that needs to be tested. A breach affects the whole organization, from IT and security to finance and sales. When an incident occurs, it's important to know that everyone understands the role they play in achieving a positive outcome.

About the Author

Greg Notch

Chief Information Security Officer, Expel

Greg Notch is the Chief Information Security Officer at Expel (CISO). As CISO (pronunciations may vary), he is responsible for ensuring the security of Expel's systems, as well as keeping customers educated on the threat landscape and latest techniques for mitigating risk in their environments.

He's been doing the security and tech thing for over 20 years — helping companies large and small through all three dot-com booms to build high-performing engineering teams, and improve their technology, process, and security. Before Expel, Greg spent 15 years as the CISO and Senior Vice President of Technology at the National Hockey League (NHL), where he led their information security program. He also led the league's technology strategy, digital transformation, and cloud initiatives. Prior to the NHL, Greg worked on infrastructure, security, and software systems for Apple, Yahoo Search, eMusic, and several other NYC-based tech startups.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights