Managing Executive Expectations During a Cyber Attack


By Ismael Valenzuela, VP, Threat Research & Intelligence, BlackBerry

Whether you’re facing a physical disaster or a cyber attack, the best time to manage people’s expectations is not when the house is on fire and everybody is running around in the middle of a crisis. Proper incident command is paramount, something which is always better planned in advance. When there is weak or inadequate planning, communication problems are bound to appear during the handling of the incident.

As the old Chinese proverb goes, “The best time to plant a tree was 20 years ago. The second best time is now.”

If you didn’t have the foresight to plant a tree 20 years ago or manage your senior leadership team’s expectations in advance, here are seven important items to communicate as soon as possible to ensure everyone’s on the same page when the inevitable fire alarm starts to go off.

  • Manage the risk and contain the fallout. Executive and business unit cooperation is critical to ensure rapid containment and mitigation of the impact. Make sure that executives understand their responsibility to make the Incident Response plan successful and that the response is coordinated to avoid further damage and unnecessary repercussions.
  • Define the chain of command and remember that decision-making should be business-driven, not technical-driven, with a focus on understanding the impact, not fixing it right away. Senior leadership should help to balance investigative efforts with impact assessment.
  • A proper response requires a proper scoping. Ensure the business understands that a response will not be effective without a complete understanding of the threat. Improper scoping and misread signals usually lead to partial remediation, which can lead to further disasters.
  • Consider the long-term recovery (and response). If it’s some sort of targeted attack, the attacker won’t go away to cry in a corner, even if the attack is successfully contained and eradicated. Make sure the business understands that it’s likely that the attacker will come back.
  • Alert key business stakeholder groups. Public relations, legal, and compliance impacts are often not considered. Don’t overlook these or any other notification requirements. These should not be deferred as a post-incident issue.
  • Communicate frequently through executive and technical briefings depending on your audience. A consistent and effective communication process is critical. Regular incident status meetings should be required, and incident status details should be documented in a secure out-of-band location. All critical teams must be in a communication chain, and don’t forget that the communication of sensitive information must be tightly controlled at all times.
  • Don’t jump to conclusions. Use the popular Analysis of Competing Hypothesis (ACH) model to conduct your investigative efforts, and make sure you always get down to the root cause of the incident to continue improving your security posture.

With the world currently experiencing one cyber attack every 11 seconds and the 2022 Threat Report with insights from BlackBerry’s Research & Intelligence team revealing that SMBs experience 11-13 attacks every day its no longer a question of if you’ll be attacked, but when. Managing executive expectations during a cyber incident is no small task but by leveraging the above strategies, can make the difference between significant financial & reputational damage or a quick and painless resolution that enables the business to get back to doing what they do best.

Sustaining Partners