How the CISO Can Transform Into a True Cyber Hero

The job of a chief information security officer (CISO) often hangs by a thread. Just one difficult-to-manage cyber incident can lead to the loss of their job. And there's been no shortage of examples in recent years. But many times, CISO departures are less about their individual performance and more about how their peers felt during the incident.

The good news is that CISOs can take preventive measures to shape those feelings for the better, applying human savvy to instill a sense of calm during a tense incident response. By following these three steps, CISOs can redefine how they are perceived and emerge as heroes in a cyber crisis.

1. Take Charge of Expectations for Response

CISOs already understand how to play defense well, with a focus on bolstering security, adopting the latest innovations, such as artificial intelligence (AI), and deploying automation and orchestration capabilities for accelerating incident response. Unfortunately, none of these activities alleviates the stress an organization feels during a cyberattack. Unclear expectations on how colleagues outside of cybersecurity should assist in a response only amplify that stress.

Compounding the problem are traditional cyber-incident response plans (CIRPs), which tend to focus entirely on cybersecurity without hooking into the other business departments required for an effective response from a large-scale incident. But CISOs can better manage expectations by focusing their energy on a cyber-incident management plan (CIMP) designed for department heads and senior leadership across the organization.

Responding to cyber incidents may involve professionals in legal and regulatory affairs, public relations, human resources, IT, and other departments. A CIMP codifies the roles each leader will play in a response — from implementing offline workarounds to communicating with internal and external stakeholders — and establishes a strong foundation for expectations. Codifying and socializing this information and the associated processes will alleviate confusion and prevent duplicate efforts during a response.

2. Drive Consensus for Recovery Priorities and "Minimum Viable" Operations

A nonsequential restoration process can also slow down operations recovery — particularly when the organization has forgotten (or can't align on) what its "minimally viable product" is. The CISO can help by guiding others toward a minimum viable business operating environment, which will help the IT team understand what to prioritize following a cyber incident.

Any "minimum viable" plan should align with essential business services and functions within the organization; it should not be purely application focused or developed via a traditional business impact analysis (BIA) application-centric process. Such a plan means that, when requests for application restorations start coming in, IT will have the authority to prioritize those requests based on the ability to restore a function or service to the business, rather than a standalone application. This kind of process, aligned to functions or services, also lets businesses skip the traditional "application criticality tiering" (for restoring a lower-tiered application first if it supports a high-priority service or function).

The ultimate results of this sequential recovery process? An accelerated revival of basic functionality, a well-organized return to business as usual, and a deeper understanding among stakeholders for what happens when — and why.

3. Make Cyber-Incident Readiness an Integral Part of the Entire Organization

Operationalizing readiness, response, and recovery is where the rubber meets the road for the CISO. Plans, processes, and technologies underpin operations, but they each rely on people. Tabletop exercises that focus only on technical response activities strengthen only one "muscle group" of the organization. Consider a different kind of cyber exercise — a war game that involves the entire organization. By exercising the incident management plan with a broader constituency of stakeholders, organizations can build "muscle memory," test communication channels, and identify decisions or risks based on a given scenario.

As part of the war game, the recovery team should run through the sequential restoration. By socializing the order in which operations will return after a disruption, the team can reduce the number of "Is it back online yet?" queries received during a real incident. Giving the broader workforce a foundational level of experience also makes it easier for individuals to pivot and improvise as necessary during a real incident.

Taking on a New Role

There's an old joke that "CISO" stands for "career is seriously over." But today’s CISO has a serious role to play as a hero for their organization. It is a simple matter of evolving from a primarily technical role to a role that incorporates empowering their human peers and stakeholders to become greater collaborators in cyber-incident response, recovery, and readiness.

Building the plans, setting the expectations, and "practice, practice, practice" for individuals who will be involved can bring cooler heads and calmer hearts to the chaos of a large-scale incident response. And when it's all over, the CISO is the hero — just like everyone else who played a role in readiness, response, and recovery.

By Jonathan Goldsberry, US Leader Cyber Incident Readiness, Response & Recovery and Senior Manager, Deloitte & Touche LLP

About the Author

Jonathan Goldsberry leads the US Cyber Incident Readiness, Response & Resilience team at Deloitte, where he helps clients strengthen their business operations using intelligent innovations such as ConvergeSECURITY, developed through Deloitte's collaboration with AWS. As a managed cloud security and compliance offering, the solution taps the power of AI to support end-to-end threat management, detection, response, and recovery at the enterprise level.

This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this publication.

As used in this document, “Deloitte” means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of our legal structure. Certain services may not be available to attest clients under the rules and regulations of public accounting.

Copyright © 2024 Deloitte Development LLC. All rights reserved.