Steps CISOs Should Take Before, During & After a Cyberattack

By creating a plan of action, organizations can better respond to attacks.

Taylor Lehmann, Director, Office of the CISO, Google Cloud

November 13, 2023

4 Min Read
Words associated with cyberattacks on a digital background: Cyberattack, breach, warning
Source: Wavebreakmedia Ltd IFE-210813 via Alamy Stock Photo

In today's complex threat landscape, cyberattacks are inevitable. Malicious actors are becoming increasingly sophisticated, financially motivated attacks are becoming more widespread, and new malware families are being discovered daily, making it even more important for organizations — of all sizes and across industries — to have a plan of attack in place.

Detailed cyber playbooks are essential and should outline exactly what teams should do when an attack occurs, ranging from best- to worst-case scenarios, so that security leaders can mitigate the issue, reassure business leaders, and move forward as quickly as possible.

While each cyberattack is unique and requires its own procedure and recovery plan, there are three considerations chief information security officers (CISOs) should raise with their security teams and business leaders today to ensure they are prepared accordingly.

Before a Cyberattack: Educate Stakeholders

CISOs and security leaders should engage with business leaders about cybersecurity regularly — and well in advance of when an attack occurs. Education and generating awareness for those who may not be as involved in day-to-day security operations (i.e., the board of directors) is critical for avoiding certain surprises that often come with a security incident. CISOs should prioritize this education through:

  • Fostering strong relationships with business leadership. CISOs can't implement a plan of action until leaders understand the security landscape and key points of risk more broadly. That's why it's important for CISOs to continuously build strong relationships with the right leaders and educate them on cybersecurity so they have a general understanding of the landscape, in the event that an attack does occur.

  • Building a comprehensive framework that outlines roles and responsibilities — and running it by the right people in advance. When a cyberattack does occur, things can get overwhelming — especially when leadership hasn't reviewed and approved the plan of attack in advance. To make sure that everyone has their marching orders during a cyber incident, CISOs and security teams should develop a comprehensive framework that outlines the exact responsibilities of the security team and larger organization.

  • Continuously testing plans to proactively detect flaws and adjust response practices. Even with a plan in place, there could still be flaws in the framework or issues that need to be readjusted, making it vital for teams to frequently test their game plan. By stress-testing their plan, leaders can point out flaws within protocols, leaving time to make updates accordingly. Organizations should test out and challenge their plan by executing tabletop exercises several times a year and reporting the results to leadership.

By implementing the initiatives mentioned above, when an event does occur, CISOs can easily reassure stakeholders that the plan of attack that has been mutually agreed upon and tested is in motion.

During a Cyberattack: Prioritize Effective and Empathetic Communication

When a cyberattack does occur, it is imperative that organizations are able to quickly spin up their teams for response and activate on the roles and responsibilities that have been pre-established. The smoothest and most-effective responders are usually those who are well trained, well equipped, and have pre-staged the requisite tools ahead of time.

The way and tone that leaders communicate during a crisis is essential to effective cyberattack recovery. Leaders should integrate empathy into their strategy, providing impactful and effective reassurance to those impacted, both internally and externally, focusing on restoring stakeholders' trust.

After a Cyberattack: Reflect Without Blame

In a high-stakes, high-pressure environment like cybersecurity, it is imperative that organizations create an open space that welcomes honest and insightful postmortems.

After resolving issues from an attack, security teams should regroup and reflect on the incident to better understand the ways in which they succeeded and how they can improve moving forward. It's important that during these discussions that no particular individual is blamed, and that the focus is about understanding how the organization can improve. The playbook should be reviewed in detail with stakeholders to determine if there is anything that needs to be adjusted to make for a more effective response.

At Google, we adhere to the concept of blameless post-mortems — creating an open space that encourages frank discussions about what went wrong, what went right, and the lessons learned from the incident.

Ultimately, the goal is to avoid surprises before, during, and after a cyber incident. To achieve this, organizations should consistently communicate and educate stakeholders throughout the entire cyberattack cycle to increase the understanding of the event and avoid the same mistakes again. By creating a plan of action that is frequently tested, establishing roles and responsibilities, continuously updating playbooks, communicating frequently, conducting postmortems, and asking for outside help when needed, organizations can set themselves up for more success when it comes to responding to cyberattacks. We will never be able to avoid cyberattacks entirely, but we can always learn and become more effective in addressing them.

About the Author

Taylor Lehmann

Director, Office of the CISO, Google Cloud

Taylor Lehmann is a Director for the Office of the Chief Information Security Officer (CISO) at Google Cloud, where he advises Google Cloud customers and helps them achieve their business goals while adopting a high security bar – one that protects data, operations, and people without compromise or unnecessary friction. Taylor is an experienced CISO whose past work focused on securing global healthcare organizations, removing obstacles, and driving innovative programs that help them achieve their core missions. He has held CISO roles for hospitals, health insurance, health IT organizations, and global banks. Taylor holds an MBA from Boston College and a BS in Finance and Information Systems from the State University of New York at Buffalo.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights