The Art of Communicating the Impact of a Cyberattack

It’s the million dollar question executives always ask upon discovery of a cyber incident: How bad is it?

Typically, the immediate answer to this question is, “We don’t know.” After all, understanding the full scope and impact of a cyberattack can take months, and even then, the answer may remain unclear.

Now, with regulators increasingly demanding answers to similar questions, security leaders face more pressure than ever to rapidly identify how threat actors got in, where they moved, the systems and data they compromised along the way, and the extent (read: materiality) of the damage.

ExtraHop spoke to several CISOs to learn how they answer these questions and communicate most effectively with other members of the C-suite in the aftermath of a breach.

Be Truthful, Be Confident, But Not Too Confident

Wolfgang Goerlich, a CISO and IANS faculty member, says CISOs have to answer the question “How bad is it?” very carefully. Crisis communication is the art of being confident without being overconfident. Some CISOs make the mistake of communicating in definitive terms in order to appear confident and give the impression that they have the situation under control, but this strategy can backfire in fast-moving breach situations if a CISO’s story changes significantly from one update to another. “That doesn’t look good,” says Goerlich. “You have to communicate the uncertainty of the risk without letting your audience lose confidence in you.”

Goerlich recommends answering the question by conveying that the investigation is ongoing and that the results of the investigation are subject to change. One tactic is to say something along the lines of, “This is a developing situation. On the high end, as many as X number of records may have been compromised. On the low end, it could be Y many. As of right now, we think the number of compromised records is closer to Z. Our assessment of the impact of this breach and the number of records compromised may change as the investigation continues and we get more clarity.”

Provide Visibility, But Don’t Get Wrapped Up in the Why or the How

A CISO who wished to remain anonymous notes that senior executives, including the COO, CFO, and CEO, are usually less concerned with the details of how and why a breach took place and more concerned with the pace of remediation and recovery, particularly when a breach causes business disruption. “They want to know, ‘When will this be over? When will business critical systems be back up and running? How much is this going to cost?’ They don’t want to hear about CVEs and Russian APTs,” he says.

Communicating response and recovery information in the crisp, clear manner demanded by the executive management team can be a challenge for security leaders because “in security, you’re obsessed with ‘the why’,” says the anonymous CISO. “But if you can say, ‘Yesterday, we had 11,000 vulnerable computers running the old version of Windows and we were able to update and patch 10% of them,’ if you can provide that kind of visibility and have that data at your fingertips, you are a value-add in breach situations,” he continues. “A CISO should be able to provide that kind of visibility better than anyone else in the organization. If you’re fumbling around talking about threats and CVEs, you’re not really helping.”

Keep Pace with Demanding Stakeholders

Olivia Rose, CISO and Founder of the Rose CISO Group, advises security leaders to provide updates on the investigation to the senior leadership team frequently–every 15 to 30 minutes–for however long is needed.

Panicky executives in crisis mode are going to demand frequent updates, so it’s best for CISOs to be calm and proactive in their communications, according to Rose, who is also a member of the IANS faculty. Providing frequent updates, even if there isn’t much to say, helps to quell anxiety and gives the CISO some control over the breach narrative. “If they don’t receive this information from you, they’re going to ask someone else,” she says.

Lay the Groundwork Before a Breach

All of the CISOs interviewed for this article emphasized the importance of building trusted relationships with the executive leadership team before a breach takes place. “Don’t wait until your house is burning down to make friends with your neighbors,” says Goerlich.

The CISOs also recommended running cyberattack simulations so that when a breach happens, it’s not the first time the executive team is dealing with a cyber-related crisis situation. One of the many advantages of conducting a cyberattack simulation before an actual breach takes place is that it helps to give the executive team some idea of how long forensic investigations take, why they take so long, and why they're so complicated. Simulations and tabletop exercises also help to clarify roles and responsibilities, lines of communication, and chains of decision making.

Finally, they underscored the importance of telemetry and visibility in giving CISOs the ability to answer honestly, confidently, and quickly those fundamental first questions the executive team always asks: how bad is it, what was stolen, what’s the operational impact, what’s the customer-facing impact, and when did it start?

“You need network visibility, user-level visibility, data movement visibility, and identity visibility,” says the anonymous CISO. “When you can correlate all of that telemetry, then you’re in a much better position to say the cybersecurity equivalent of, ‘It was Colonel Mustard, in the library, with the lead pipe’.”

For more information on assessing and communicating risk in the heat of a breach, join ExtraHop Co-Founder and Chief Scientist Raja Mukerji and Joseph Blankenship from Forrester on Wednesday, August 28, 2024 at 1 PM Eastern for a webinar, Determining Exposure and Risk in the Event of a Breach.