Survive the Breach-Protecting People & the Company When the Worst Happens


Posted on in Presentations

The pressure on CISOs has never been greater. Incidents end careers, result in years of litigation and even possible criminal prosecution. Hear from some of the most experienced CISOs, communications experts, and legal advisors with practical actionable advice on how to protect people and their organizations in the event of a crisis. This panel has lived it and can share hard won experience.


Video Transcript

>> SPEAKER: Please welcome panel moderator, John Carlin.
 

     (Applause.)

  

     >> JOHN CARLIN: All right. Good afternoon. The theme of this panel is how to protect yourself and your company. And I'm very pleased to not only have some of the most distinguished names in the field who have lived through and survived, and their careers have survived, along with them personally surviving very serious incidents, but also a group that I have personally had the opportunity to work with, some of the most serious incidents, whether it's national security, actors, or sophisticated criminal groups.

 

     And with that, I'm going to jump right in with the first question to Brad. Brad, you've bounced around a little bit. Apparently, can't hold -- can't hold a job, and been the chief information security officer for GM, for Target. You're currently at Raytheon, along with many other experiences. Maybe we could just start with you. From what you've seen living through actual incidents, what are some themes about how to protect yourself that the audience can take away?

  

     >> BRAD MAIORINO: Sure. Thanks, John. And by the way, you are pretty close right behind me as far as bouncing around, by the way.

 

     Yeah. So, I think when you think about protecting yourself and the company, I think they're one and the same. I think when you look at some of the root causes of, you know, where companies and individuals don't handle it right, it comes down to really two things for me is, one is either they don't have a plan, and two, if they have a plan, they haven't practiced it. Right? So, I like to talk about it in the concept of like relentless preparation as that the world we live in today, right, we all know it's not a matter of if, it's a matter of when your company will be in a cyber crisis. So, you don't want to wait until that day you're in a crisis to figure out that you don't have a plan and you have never practiced it before.

 

     I like to use the soccer team analogy. You know, you ever see like a 5-year-old soccer team, right, playing soccer? It's like a clump of kids like chasing the ball around the field. That's what a company looks like when they don't have a plan and they haven't practiced it. What you want to look like is a World Cup soccer team, right, where everyone has a position, plays their position, they're really good at their position, and after the game, they get together and they say, okay, what worked well and what didn't, and how do you apply that to the cyber world.

  

     >> JOHN CARLIN: Following up on that, turning to you, Siobhan, as a hired gun who gets brought in to protect companies when they are going through the worst. Siobhan is a former Wall Street journal reporter, and you help with the communications. Brad talked about relentless preparation, but I think a lot of times when folks think about preparation, what they're thinking about is the technical preparation on responding to an incident. Where I've seen some of the biggest clumping is actually from the most senior executives, including at some of the largest publicly held companies, because they're all very interested in what that calm statement is going to be. So, maybe you could give a little bit of your experience on is that something that you can practice in advance, and what type of lessons should companies take?

  

     >> SIOBHAN GORMAN: Yeah. No. I think it is a really important point. And I think that now that cybersecurity is seen, I think, as a broader business risk, more companies are understanding that it goes well beyond the technical. Usually, as, actually, everyone on this panel knows, when you have an incident, you have got the technical response, of course, but you have also got the legal response and the communications response. And, you know, I think Brad's point about practicing is really, really critical, especially when it comes to communications, and that's internal and external because it's really just broadly stakeholder management.

 

     And the one add that I would have, just broadly speaking, to what Brad was saying is you need everyone to play their role, and the most important role is having a crisis captain, having someone who can ultimately call the shots, and that shouldn't usually be the CEO. It should be somebody else. But when you're talking about how it is that that whole team plays together, communications actually pervades almost all of it. There are a lot of legal questions there in terms of what you can and can't say, and particularly the sequencing of it. Do you have to disclose something publicly, you know, file an 8K or not? And there are a lot of decisions there that come into play, and those are the kinds of things that the CEO typically will really care about, which is why, again, having things like a playbook and practicing it is really important because sometimes a CEO doesn't realize much they care about communications and how they're showing up in a crisis until they are actually in it. And so, then you can get sort of panicked responses. You get people, frankly, oversharing, usually, and that can be really hard, because if you are oversharing, you can't walk it back. And usually, if you are oversharing at a time that you don't have very much information, you are speculating, and that's not where you want to find yourself in a cyber incident.

  

     >> JOHN CARLIN: Chandra, you've been CISO from the defense sector, and at Lockheed, to another highly regulated space in telecommunications at Verizon, and now in CVS where you have the best of both worlds because you have both retail and you have the pharmaceutical side that's regulated. What's your view on both the theme of how you can prepare yourself, but also following up on the world of communications play?

  

     >> CHANDRA McMAHON: Right. Thanks. And, you know, I really think about -- and to build off of what Brad and Siobhan shared -- when I think about the robustness of the playbooks and the preparedness activities that should be performed, they need to meet a couple of criteria for me, and one is velocity. We've talked about this a lot at the panel. They have to be able to react with the velocity with which events are occurring and unfolding. They need to be agile in regards that, based on the events unfolding, you have got to be able to pivot and pivot quickly. They need to be scalable. And having run several incidents, sometimes people think it is just five people in a room. And having run, you know, some significant incidents, you can actually end up having a workforce of several thousand people doing something across all of these elements, whether ‑‑ like the communications one is so important, right, even as the coms strategy is developed, you have got to build that out internally throughout your company, externally, whether it is media or even through your account management practices, and even to your consumers, depending on what your business looks like.
   

     So, I really think about agility -- velocity, agility, flexibility, and the last one is scalability because you've got to be able to make sure that the playbooks you have enable you to scale up, and that's one of the themes, I think, where companies don't do as well on they don't launch fast enough with enough resources to be able to deal with what's going to happen the next 12, 24 hours, two days from now, a week from now. And so, in our role as CISOs and, you know, trying to lead through that response running the playbooks, we've got to be looking out ahead and looking at all sorts of permutations. So, those are the few things I think about, and the communications is just so critical to the success of how you get to the other side of it. Right?

  

     >> JOHN CARLIN: Yeah. No. It's a key point. I've found -- so, in my career outside of cyber, I have dealt with crises in the national security community when I was running the National Security Division for the Justice Department, ranging from terrorism to hurricane response, and when we think about --building on your point -- what makes cyber different, and for those of you living it, it's almost in your DNA, so it can be hard to explain this to other members of the business who are not living it, which are two things that make a cyber crisis different. One is the speed, as Chandra said, or the velocity of the incident, but the second is the uncertainty. So, as bad as certain other crises are, an active shooter situation, a natural disaster, there actually is usually some forewarning, in the case of the natural disaster for preparedness, or in the event of tragic situations, like shooting situations, you know what happened fairly quickly after the incident. But here, the business leaders need to make key communication decisions, who to talk to, what to say, and also decisions in terms of the business, right, do I shut a system down and take the cost, do I keep it going, in that uncertainty.
   

     And so, turning to this group, how do you handle that?

  

     >> SIOBHAN GORMAN: I guess I'd love to jump in on that because I think the uncertainty comes in in so many different ways, but particularly if you're thinking about a communications chain, usually the first thing is, well, what's the threshold for communicating in the first place, right, and usually it is, well, we have to tell our customers, or whoever, or employees, whoever the stakeholders are who are most affected by the situation. Well, when do you do that? What's the threshold? And so, in these incidents, and this is why, again, trying to think through simulations and playbooks in advance is helpful, what's that threshold that -- how much information do you need before you go out because you can say, well, we had a thing, or we might have a thing, but you can't say anything else. Well, that's not going to inspire a lot of confidence. But you're never going to have perfect information, and so you need just enough to be able to tell your customers, you know, at least this is what we're investigating, and this is how we're dealing with it, and this is how we recommend you deal with it, and we'll share more when we can. Getting to that point is very challenging. And managing that uncertainty, particularly with customers, is something that I think many companies struggle with.
   

     And the other -- the other point -- and I think this gets to Chandra's point about scalability that is really, really important, and something I've seen more in the last couple of years be a challenge -- is just once you go to your customers -- and this is one of the threshold questions you want to ask about -- well, then you're going to get a lot of incoming, and so how are you going to manage that? And managing the incoming is the thing that I think most makes or breaks the response to a cyber incident, because if you do it well, people say, okay, you're on top of it, I trust you. If you don't do it well, they say, oh, well, they're fumbling. They can't answer my question, so they probably don't know what they're doing. And so, I think that that's one of the hardest things that companies run into in these situations.

  

     >> JOHN CARLIN: That's such a great point. Come in as outside counsel to lawyers are sometimes the problem because they'll overlawyer the responses to ‑‑

  

     >> SIOBHAN GORMAN: Not John. He doesn't overlawyer.

  

     >> JOHN CARLIN: Never. But that thinking through the frequently asked questions before you rule out the communication and making that your ability to answer those questions part of your strategy as to when you go out is something that ‑‑

 

     >> BRAD MAIORINO: Yeah. I go back to what Chandra said about the flexibility, the agility of your plan. I mean, I have seen many companies have, like, beautiful interim response plans, like 90 pages, got flowcharts and graphics, but when the actual incident happens, do they use it? No. It sits on a shelf because it's too rigid, it's not flexible. You know, the way I think about when you build a plan, keep two things in mind. One is it's about getting the right people involved at the right time, bringing in the cross-functional group from PR, communications, legal, and so on. They're experts at what they do, right, so you need to expose them to what's going on, and they're naturally going to have questions and know what to do. And then to keep structure around it -- this is to your point around the FAQs -- is instead of having a flowchart, like if this, then do that, just have a list of questions and considerations, think about these things at the beginning of an incident, think about these things at the end of an incident.

 

     You know, a great example is, you know, you might be in a post-mortem from an incident and you're like, you know what, we really should have got law enforcement involved much earlier. So, an easy corrective action is add a question at the beginning saying should we involve law enforcement at this point. I mean, just that simple to remind yourself, and then you've got the right people asking those questions along the way.

  

     >> JOHN CARLIN: Chandra, what do you think about that, and particularly the law enforcement question?

  

     >> CHANDRA McMAHON: Well, first, I agree, the best plans I have seen, and when I've seen companies execute and perform really well, is where they have somewhat of a playbook but with the considerations and decisions that need to be made. And, you know, law enforcement, I think, it's changed over the years, right? And again, you know, many, many years ago, there was reticence or hesitancy to share with the government, to get law enforcement involved. Now I see many companies have moved along that curve and understand that that public/private partnership can be invaluable navigating through a crisis. But where I see companies have challenges is if they have never worked with law enforcement before and they're trying to do it for the first time, and so having outside counsel and the right resources that have relationships and know how to navigate that to guide the company. And then there are companies that have really strong relationships with law enforcement, and they're able to, you know, perform their own calculus on, you know, what's the equation in terms of engaging with law enforcement and when does it make sense and how do you do that in a way that it's -- it's mutually beneficial. And that's what the company looks for, right? The company is looking for a mutually beneficial relationship through that. So, I have seen some things -- times where it has been extremely successful, that partnership and that sharing, and I have seen other times where companies have struggled or they've been hesitant to share information, and I think it's impacted them in a way that maybe if they had thought about it differently, they could have produced a different outcome.

  

     >> JOHN CARLIN: Yeah.

  

     >> BRAD MAIORINO: Yeah. And John and I have facilitated war games together and helped companies run it up to the board level. If you remember, one of my favorite questions to ask during those war games is like, okay, at this point, would you involve law enforcement? And everyone goes, yeah, yeah, we should. Okay. Well, who are you going to call? We're going to call the FBI. Okay.

  

     >> CHANDRA McMAHON: Yeah. Who is calling? Who?

  

     >> BRAD MAIORINO: Who is going to call?

 

     >> CHANDRA McMAHON: Who is going to make the call?

 

     >> BRAD MAIORINO: Well, I know a guy. Okay. What's his phone number? I don't know. Right? So, to Chandra's point, I think investing and building those relationships upfront. And so much, it's not just about having a phone number and a name. It's also having trust. Right? So, those relationships, you don't want to have to build that relationship at 2:00, you know, in the morning on Friday night. Right? You want to build those in advance, and they take time.

 

     >> SIOBHAN GORMAN: And you do want the phone number and the name, and you want it on some other place than the system that just got taken down by ransomware. So, like, having it written down somewhere is a really good idea.

  

     >> JOHN CARLIN: That sounds really obvious. But if you take one thing home, I cannot tell you how many times I've gone to help and all of the materials for the client are on the now locked up computer that they don't have access to.

 

     >> CHANDRA McMAHON: And that's the velocity issue, which is you have to be able to operate at speed to accomplish things in spite of what's occurring situationally, right, if there's lack of communication. And, you know, I've changed through a couple of industries, and each time I've gone in, I've had to go through and, you know, through my onboarding is who is the lead for the FBI relationship, and it's been different in each of the companies that I've been at. Right? And so, we have key stakeholders as we work through an incident response. I know, Brad, as you've changed roles, you know, we often talk about, okay, we have a couple key stakeholders, communications, legal, you know, who will make the law enforcement call, that we -- that are very -- they're critical to the core team, that crisis core team that's going to help navigate that incident and help guide the business and support the executive leadership team on making the decisions that they need to make during an incident. And often, we have -- we talk about velocity, but we haven't talked about how time can be an enemy, you know, when we're responding to -- responding to an incident.

     

     >> JOHN CARLIN: Play that out a little bit. What do you mean by time?

  

     >> CHANDRA McMAHON: Well, sometimes -- and I think, Siobhan, to your point -- if you don't have the communications, some of your thoughts around your transparency and your strategy and how you want to position with your customers, people are trying to spend that discussion time when you are in crisis, and that's actually -- to your point earlier -- not the time to be doing that. So, making sure you have those North Stars that then allow you to operate against, I think, is critically important.

 

     And I think we touched on Crisis Captain. People call them different things. You know, they call them Crisis Commanders, Crisis Captains, but it's -- the Incident Leader -- it's the one person that's responsible for driving the process within the company to make sure everything gets done. And often, I've found when I've served in that capacity, I've had to go you have two hours to make that decision. Get in a room with the right people, and in two hours, I want a recommendation. That's a very different mode of operation when your functions are, normally, oh, well, let's have another meeting, I want to consult with somebody else, I want to do this, and it's like, no, two hours, we're making a decision and we're going to go with it. And we're going to make that decision with ambiguity, in some cases, you know, trying to stay away from speculation, and try to care for all the things that we need to care for in that moment.

 

     I think that that's, you know, that's a critical -- those are -- there are critical timing elements to every incident that if you don't hit it the right way, it will impact your trajectory on whether or not your customers lose trust or confidence in you or they go the other way and you're able to maintain and keep and even increase that confidence and trust in what you're doing.

  

     >> JOHN CARLIN: That point, what you're saying, I think part is a delayed decision -- you've made a decision and it's going to have an impact. So, you haven't avoided the decision. You just made the wrong -- the wrong one by the amount of time it took you to reach the decision, and that's something you can practice with a clock. When Brad was talking about training, I don't see people do it as much, but to literally do the Chandra exercise, or sometimes -- Siobhan, do you want to add to that?

  

     >> SIOBHAN GORMAN: Yeah. I was going to say, I mean, I think that people don't appreciate the downstream impacts, and this is where, again, communications can be your friend, or it can really trip you up. I mean, we were working an incident not that long ago where a critical part of a legal filing got changed literally overnight. Like I woke up and I was like, whoa, whoa, what happened, and no one mentioned ‑‑ no one thought to tell the communications side of things, and so we had a whole set of materials that had to be rewritten like in a matter of minutes, and the client was -- was, you know, very impatient. And it was, you know, everyone was sort of in this scramble because a decision was made way later in the process than it needed to. And so, it can have a lot of downstream impacts, again, because the slower, if you will, the communications materials are to catch up, then the harder it is to just demonstrate that you are on top of it, because the minute you have a public filing, you are going to get a lot of incoming. And if you haven't been able to update the materials that you're using to answer customer incoming, then your people are not well equipped and they don't have answers, and even the minimal answers that are at least, you know, they're not terribly satisfactory, but they are what you have, if you don't have that, then they just don't have anything. It can be really, really hard.

  

     >> JOHN CARLIN: One thing, if you get the chance, because I think that's also a mistake I see in training, so if you are on the security side, it's not your job and you may not know who the key ‑‑ what are the core values of the company that are informing the CEO and making a decision, and that's something you can have a discussion about ahead of time. And there's not a right answer. In different sectors, different times, and different points in your careers, you have been at different companies where that core value has been different. In one case, it might be the most important thing is trust. At another company, it might be security. Those sound similar, but they're actually quite different. And if trust is your first priority, you may communicate in a way that increases your risk for a period of time because it's public, but it's that important to you because the customer relationship. Another company may choose to take the hit of not having been as forthcoming early on because what's most important to them is securing the -- securing the system. So, that you can do ahead of time. And then secondly, you can get your business side to prepare. Everyone says that we want to treat everyone equally, often, whether it's B to B business customers or consumers, but the fact is, often, there are some who are more important than others, and you realize that in the middle of crisis, but it's something you can figure out ahead of time, and then whose job is it in the company to talk to those, who are those critical customers, who is going to talk to them, and are they able to talk to them if the incident is one that renders the system unavailable, and what's the plan.

  

     >> BRAD MAIORINO: To your point about the values, the first part of that, I think -- this is an opinion -- but what I have seen and the way different companies have responded publicly, and having worked directly, all of us, with -- sometimes together -- with certain CEOs, the ones who always have come out and faired better, and it didn't feel like it at the time always, but the ones who put the customers first, like said I don't care about the stock price, I don't care about getting sued. We're going to do the right thing for our customers, and we're going to tell them what happened. Now from a legal standpoint, sometimes that can be scary. From a coms standpoint, it can be scary. But I really do, I look at a few incidents that I've been involved in, and I was, at the time, like you're crazy, you can't say that. But in the end, it proved to be beneficial because the customers recognized that, and they came back, and they rewarded the company for it.

    

     >> SIOBHAN GORMAN: That's absolutely true. One case that I can talk about because we actually ended up writing about it later, in the case -- we worked with Under Armour when MyFitnessPal app was hit, and it was, you know, 150 million users. And they had recently sort of taken a look at their corporate values, and the two that had risen to the top were transparency and commitment to athletes. And so, the Deputy GC, who was kind of ‑‑ she was the crisis captain, she was great at it, she said, look, we have just done these things, and GDPR was sort of in the offing at that point. She said, you know, we have lost, you know, usernames, and it was hash passwords, but there was still, you know, some uncertainty there. And so, she said, look, we've got to get this out quickly because people have to be able to protect themselves, so we're going to go out in the next -- I want -- I want three days, but four days is okay. And so, we went out to 150 million users within four days because they were really clear, transparency, and so it was like the full story all at once, rip the Band-Aid off, and, you know, they wanted speed because they wanted people to have that information because they may have users' passwords, obviously, not just for a running app, but also maybe for their bank account, even though you're not supposed to do that.

  

     >> CHANDRA McMAHON: And I think as -- as we think -- oftentimes, we focus on preparedness and actual incident response, and sometimes we don't talk enough about understanding the tail that comes off of the back of an incident, and sometimes as security professionals, we say, okay, we've done the forensics, we've done the data analysis, we know what the impact is, we've done technical mitigations and response, we've restored services. Well, that's the technical piece.

 

     The coms tail -- and you're dealing with coms through that, but the tail on any incident is longer, wider, and deeper than what happens when you are in the moment fighting the fire, either trying to regain control of your system and get the hacker or adversary out, or whether or not there's been a significant data loss. That tail is deep and wide and long. And so, as we think about not only preparedness and incident response, like one of the roles that we have to play is we've got to be looking 5, 10, 15 steps ahead, and you've got to be seeing beyond that, which is why these North Star values become critically important because you're not going to change them midstream. You've got to operate in accordance with them.

 

     And so, you know, one of the roles that Brad and I play, and even you, is when we -- I often say they're like what do you do. I was at a leadership meeting a couple of weeks ago and I had to introduce myself, and I said, well, we may meet in meetings, but there might be times where we meet, and it will be the first time you're meeting me, and it won't be a good meeting. And at that time, I become your guide and your sherpa to get you through the incident and to help translate and explain -- you've done this many times, I know all three of you have -- to guide the business team through what's going to happen and help them understand. And I know based on the, you know, recent ransomware experiences going on, just having more knowledge about having some kind of guidance on what you can expect, how, you know, third-parties, what are they going to do, what you can expect from your third-party, that becomes really important in terms of incident response because it'll be the core team that's built the plan, that's prepared coms, legal, you know, the cyber team, we're all ready to go, the business team is doing their preparation, the ELT, your CEO team, if they've done preparedness, but when you take more people than that through a process, you're often having to guide them, and you're not going to hand them the playbook and read it. You're going to, through the process of your meetings, declare here's what's going to happen in the next 24, 72 hours, we think, unless, of course, the wild card, the news, something goes into the news. Right? That's one of ‑‑ always the wild cards, I think.

  

     >> SIOBHAN GORMAN: Or the hacker posts something.

 

     >> CHANDRA McMAHON: Yeah. Exactly.    

    

     >> JOHN CARLIN: Well, let's follow up a little bit on what makes ransomware a little bit different than other incidents.

  

     >> BRAD MAIORINO: I'd say the first thing when you think about ransomware and building out a playbook for that is have the conversation with your company first around just philosophically like would we pay, yes or no. Right? Again, not a decision you want to be having on a Friday night at 2:00 a.m.

  

     >> JOHN CARLIN: To add an addendum to that, which is I've had a lot of really well-meaning clients, and even in government, and the conversation is, well, you think the answer is absolutely no, but the answer is really yes because there is some set of circumstances that is severe enough that they will. And so, with that in mind, probably better to have factors.

  

     >> BRAD MAIORINO: Yeah. Exactly. And to the second point is if you decide, yes, you will pay, or if you say no, either way, you should figure out how you're going to pay. Right? We all don't have Bitcoin wallets ready to go. And again, my Friday night 2:00 a.m. example, you don't want to be trying to figure out how you are going to pay ransomware. You want to have those relationships, whether it's law enforcement, incident response firms. There's --

  

     >> SIOBHAN GORMAN: Negotiators. Have the negotiators on board.

  

     >> BRAD MAIORINO: Yeah. You want to figure those, build those relationships out, test those processes before you get into the incident.

  

     >> JOHN CARLIN: And the negotiator part, for those who haven't lived it, I mean, there are some very small niche companies now because it's, unfortunately, it's such big business for the bad guys, be they criminal groups, but also some nation states, that all they do is negotiate, and there's really kind of three or four, I think, main players. A lot of bigger companies won't do it, understandably, because of the risk, so you need to get paired with who that smaller company is who would do the negotiation that you are comfortable with.

 

     And one thing that people don't think of in advance sometimes is even when you have made the decision, I will absolutely ‑‑ we are not paying ransom, you still may want to negotiate because it can buy you -- I don't know if you want to talk about this a little bit, Siobhan -- it can buy you time where you have a little more certainty about when they are going to pop the data that they exfiltrated on some external site as part of their blackmail scheme. So, it gives you a little more certainty on the negotiation. And secondly, they often give proof of life, and so they are giving documents that can help guide you to which servers were actually impacted and what you lost and can help get you a jump-start on what your communications or response plan are going to be.

  

     >> BRAD MAIORINO: Can I ask you a question? Do you see companies directly engage with the negotiating companies, or should they be using external counsel and then they engage the negotiators?

  

     >> JOHN CARLIN: You're talking about in terms of engaging the third-party negotiator. I think it's one that's just like your forensic firm, it's best to do through external counsel so that -- and clarify that the purpose of it is, in part, to protect you from future litigation risk, which, in a serious ransomware incident, there always is. And the idea behind that, in part, is that that can give you the benefits of having the communications be privileged, or work product, which means you don't need to turn them over in all instances if you are later in litigation. And that ‑‑ that's more true in the United States. That privilege isn't as ‑‑ there is not a strong right to that privilege when you are in Europe. And so, for multi‑national companies, often, I think you need to remind some of your colleagues overseas that some of the regulatory risk is here and it is worth going through the privilege steps for the U.S.

  

     >> BRAD MAIORINO: Thanks.

  

     >> SIOBHAN GORMAN: Yeah. I think -- and just to add what you were saying, John, about negotiators. I mean, I think that, particularly if you are looking at kind of the broader, and even kind of the technical management side of it -- and Chandra pointed out, like time is not your friend -- and so, any way that you can kind of extend the time that you have to make decisions is really important, or just to get your act together. Right? If you are going to have to go out, potentially, to a whole series of customers, you want to get to them before the threat actor does, right, before the threat actor posts, before the threat actor starts calling them and harassing them. Same thing with your employees. Whoever is actually affected by this incident, you want to get to them first, and it does take time just to, you know, get the mechanics of that together, particularly if your systems are down. And so, when you are negotiating, you are negotiating for time, you are negotiating for information, and you are negotiating for a little bit more kind of at least, not really control over the process, but at least you can influence the process in a way that you can't if you are just sitting and waiting for somebody to drop something or not drop something, or waiting to see if you can restore from backup before something else happens.

  

     >> CHANDRA McMAHON: And we touched on in our discussion with you today a few things, and I want to just highlight a theme, which is resourcing. Okay? And one of the things I see when companies go and look to respond from, you know, to a cyber incident, we talk about scalability but about resources. And what I would share is every one of your companies, if they go through an incident, you have resources available to you. It is not just your technology teams and your security professionals, your coms, your legal. You have -- each company, based on the industry they are in and the type of work they do, they have a lot of resources available. You have relationships. You have vender partnerships that you can call on to help you, whether or not to help communicate and amplify your message, or to actually help you do work.

 

     And one of the things that I have had to do in a number of incidents is call on experts within the company to do work. So, ones you wouldn't think of. At one company, I called the logistics SME for the business, and I said you are to report in within the next hour to the cyber incident command and logistically you are going to help me move equipment and people to where I need them to get to to respond. Okay? Many times, when teams start to run and do incident response, and you ‑‑ you have a new thing you need to do, you have people trying to like ‑‑ you have people trying to do Excel spreadsheets that are not Excel spreadsheet gurus. You are losing time. You are not getting accuracy and results. Okay? Who in your company can spin data on a dime, large volumes of it? You pick up the phone and you go I need that resource in.
   

     And so, one of the things that I think about in terms of resourcing, whether it is the negotiators for the ransom, outside counsel, forensics firms, crisis management communications firms, you need to think about every aspect of work that needs to be done within the workstreams we have discussed and make sure you are bringing the best resource your company has, not who is assigned on the project right now, but you are bringing that best resource to bear on what you are dealing with so you have the necessary skill to get through what you need to get through. And when those people have been pulled into projects, it's like you are to report in, and I hope you are okay on two hours of sleep, or, well, you know, maybe six to eight weeks, depending on what we're dealing with. And so, this resource theme, I think, is really critical to the success of getting through an incident and being set up to handle that tail as well.

  

     >> JOHN CARLIN: One thing you've all touched on, and it's one of the resources, and with pros and cons, of dealing with lawyers, both in‑house and the external counsel. What are lessons you have learned, and what's your advice for CISOs out there, or budding CISOs, on how to deal with counsel?

 

     >> BRAD MAIORINO: You want to go first?

  

     >> SIOBHAN GORMAN: No. Why don't you start?

  

     >> BRAD MAIORINO: Just involve them. I mean, so that concept of, you know, having the right people involved at the right time. You know, I treat our legal team as an extension of our team, as part of our team. So, I don't know the questions to ask. So, whether I think they need to be there or not, I invite them there anyway, over involvement.

  

     >> CHANDRA McMAHON: From a legal perspective, I've changed roles through companies a couple of times, and one of the things that has always been a critical activity for me was to sit down with the attorney that would be working directly with me. They usually are with me. My attorney is right here, right now, invisibly, because we work so closely together. But she is with me. And one of the things is we went through a very practical activity, preparedness, was we sat down, and we've gone through multiple scenarios, multiple use cases, and she and I have aligned on our philosophy for incident response. And where we have had disparity or a difference of opinion, we've talked through that, like why would you go -- why would you go left versus right, and why is that, and it's bringing their experience -- their experiences to bear, plus yours in a manner. And so, that philosophical alignment is, I think, critically important because, you know, you don't want to be going into that and not know how your closest partner is going to move or direct activity.

 

     I'm very comfortable with outside counsel. I think they are invaluable. And I think one of the things we have to recognize is at times that there are multiple outside counsel firms involved, not just at the incident level, but maybe at the executive leadership level, maybe at the board level, and so, you know, and, in some cases, you have to work in partnership because there are specialties with some of the outside counsel, right, there might be lead, but there's a specialty from somebody else, and so, you know, it becomes critically important to make sure the roles are defined, the responsibilities and who is driving the decisions, and the collaboration there that's required.

  

     >> BRAD MAIORINO: I will say something else. I'm not saying this because my legal team may be in the room here. But I will tell you a story. And this is a past role I had where I went into the company after a major breach, and my job was to understand what happened and make sure it doesn't happen again. So, think about what would you want to do? You'd want to know how did the bad guys get in? What vulnerabilities did they exploit? What's the anatomy of the attack look like? Who did it? Right? If you paint that out, you know, that looks like a really complicated picture, and it's something you have to document and write down. Well, you know, lawyers don't like when we write things down because we're creating a trail. And I will tell you, for the first, you know, year as I was trying to understand what happened and put controls in place to prevent it from happening again, we created a lot of documentation and we struggled with what was privileged and what was not. And it was very frustrating. I, you know, we were like this for a year, until I started getting to post, and I was under oath. And I was coached. You know, my attorney was sitting next to me and I would be asked a question. So, Brad, can you tell us what happened at this point? And my lawyer would interrupt and say I'm instructing my client not to answer that question because that is protected under attorney‑client privilege. So, I will tell you, coming out of that eight-hour painful deposition, I went back and hugged him and said I'm sorry. I should have listened to you. I get it now. So, I said everyone should have to go through that experience because, you know, it is harder, it slows things down, it's extra bureaucracy, but there is a real reason for it. And that was a big lesson for me.

  

     >> CHANDRA McMAHON: I think the other benefit we have when we use outside counsel is they are doing this for multiple companies, and they have -- the value that they bring, in addition to their legal expertise, is they know the current state, the last 10 matters that they've worked, they can apply all that knowledge in giving direction, counsel, and things like that. And so, you know, in our role, we don't see all of that, and so their expertise, I think, because they see so many different matters of different types, it's invaluable.

    

     >> SIOBHAN GORMAN: I would just add one other thing when it comes to outside counsel. I mean, it's -- we have worked with companies sometimes that don't fully appreciate the importance of having outside counsel that does cyber incidents, that they kind of think, oh, you know, we can just get good legal advice. You know, having people on your side who are doing this day in and day out and understand the legal ins and outs is really important, both for cyber counsel, but also making sure your cyber counsel also works really well with like their SEC counsel or whoever you have on for SEC because we've seen sometimes the cyber lawyers and the SEC advice, it is not meshing, and that can have really significant consequences around like what's disclosed and how you are disclosing it. Like are you disclosing ransomware? No, no, no. You don't need to. But, like, there are some SEC counsels that say, no, you absolutely need to. And maybe in a circumstance, that makes sense. But you would want an SEC counsel that can actually tap into certain levels of cyber experience. Otherwise, you're going to -- you're going to be in a position where you're perhaps disclosing things that create alarms or vulnerabilities or perhaps even legal risk that you don't need to.

  

     >> JOHN CARLIN: That's good. I think there's often a balance in discussing it as well where, ideally, your counsel is spotting legal risks, but the legal risk -- going back to the core values question -- may not, you know, may not be the determining factor in how you communicate or what operational steps that you're taking. So, while you are informed of the risk, ideally, your counsel is also saying but I have seen companies go a different way and accept the legal risk, and maybe the suit follows, but, ultimately, that was what was best for the business or the brand.

 

     All right. I have one for you. You have lived through some crazy experience. What's the craziest or most unusual thing you have had happen during your response to an incident?

  

     >> CHANDRA McMAHON: I'll start. So, in addition to agility, flexibility, scalability, and velocity, I will add wild cards. There are three for every incident. You don't know what form or flavor or how they're going to happen. So, one I'll share was we were running an incident, something made it into the news, and the next thing I got a call, and it's like we think someone on your team, who is actively running the incident, leaked this information to the press and we want to run an ethics investigation on your team while they're trying to work 24 hours, you know, 25 hours in a day, eight days a week, to get through that. So, that was a wild one. The other wild card is something called human behavior, and we all know about it.

  

     >> JOHN CARLIN: Can I just pause you one second on the first one because outside of having it as a wild card, it's a good experience, and I often get asked this question, you know, you have this framework and other frameworks that all talk about doing your learning on what to improve at the end. I see this happen so many times is there's -- in the beginning, when you're still in the discovery, response, restoration phase of an incident, you start trying to investigate how it happened or what went wrong, and that's a great way to have people drop what they're doing and start thinking, you know, more about their own liability than protecting the company.

  

     >> CHANDRA McMAHON: And the number of times. And the executive leadership wants to know that. So, the analogy I use is we are trying to put out the fire in the home. We are not trying to go in and like put the new kitchen cabinets in. Right? We'll do the arson investigation, and we'll get you new cabinets. But right now, we're trying to put the fire out.

 

     But the other wild card is human behavior. And in every major incident that I have been the lead for, when something happens in a company, there is just energy, and people need to do something to make it better, to help with the incident. And I have been on calls -- incident calls before, and someone will report in from the field, so‑and‑so went and did this, and we would talk with the lawyers, and they're like, well, that's not really good they did that. We don't want them to do that. But if they are doing that, we know exactly what they're doing. And if we tell them to stop, they're going to go do something else we might not be able to figure out. So, just let them, you know, spin their nervous energy off on doing that because they feel like they're able to do something to contribute to response. So, those are two of my wild cards that ‑‑ the second one, human behavior, happens consistently.

  

     >> SIOBHAN GORMAN: A couple. The first one doesn't have a whole lot to do with communications, although maybe a little bit. It was one where the CISO and CTO thought that they could actually just deal with the whole ransomware negotiation and everything and not tell anybody else in the company, which ended up backfiring. And at the very last minute, they had to tell everybody, and people were very unhappy. So, I would not recommend that as a strategy. You should really, you know, make it a team effort to deal with it. It's not like it's one person's fault that such a thing happened. So, just share in the response.

 

     The other was just a bizarre one. We were working on an incident not that long ago, and, you know, we're kind of trying to crank through the ransomware incident, and they're really down, they have a lot of operational challenges, and they come to us and they say, well, how hard is it to get -- we have -- there's this Bloomberg listing that the revenue of our company is this amount, and it's not that amount. Can we get that corrected? I was like I don't think that's really the time for this. Can we worry about that later? They said, no, no, no, no, because the threat actor came back and they said they're asking for this level of ransom because this is our revenue and it's wrong. We are not that big. I said, well, we'll worry about that later. I'm not sure it's going to like help your negotiation now. But I will say, I think Black Basta, and they actually do look at like public listings of what your company size is and things like that when they try to gauge how much you're going to pay. So, just know that they do do their research such as it is.

  

     >> BRAD MAIORINO: I think the one that surprised me the most was a company got hit by ransomware, and they locked up all their systems, but they also stole all the data as well. And in the negotiations, they pushed back and said we're not going to pay. Right? We have the backups. We're going to restore. And then what surprised me was the level and the extent that the threat actor went through to get paid, to the point where they started taking their customers' data and calling and e‑mailing copies of their customer data to their customers and encouraging their customers to call them and tell them to pay them. Right? That was the most surprising.

  

     >> JOHN CARLIN: Understand. Thinking back, the biggest surprise, we war gamed for years in government what it would look like if a rogue nuclear automation attacked the United States through cyber means, and we all got it wrong. You still could prepare and build muscle memory. I don't know how many of you remember it. I had a surreal experience. First thing in the morning, we do our briefing with the Attorney General and the FBI director, it's on threats -- at the time, terrorism in particular -- and instead, we started seeing the movie clip from The Interview with Seth Rogan to try to figure out what we were doing there because it was about a movie about a bunch of pot-smoking journalists, which highly irritated the autocratic head of North Korea. So, they decided that in response to that offensive movie, he was going to attack Sony with a cyber-attack. It's the only time in my career I've had to brief the President of the United States in the situation room and start the briefing with a plot synopsis of a movie.

 

     For those of you who have seen the movie, and I blame North Korea for having to see the movie, it was not my personal favorite, it is a hard movie to summarize because it doesn't make a whole lot of sense as a film. I will say, though, one practice point from that, though, was we ‑‑ although it was not the scenario that we expected, the same type of crisis decisions among the members of the National Security Council, or the members of the executive leadership team, came into play, even though it wasn't an attack on the grid that we were expecting.

    

     The other thing that famously came out of that incident -- this is going to be my next question to you guys -- is the President of the United States went out, and one of the things that he said was this is a national security incident, but it is not an act of war. And that, in part, Sony had been talking to us, and their insurance would have had an act of war exclusion. That's not the only reason that the government said it. But it had -- it would have had a real impact if we had declared it an act of war. Lately, there's been much discussion with insurers over whether nation state attacks, in general, are going to be excluded from policies. What's your thinking on the latest on insurance, and how should folks think about it?

  

     >> CHANDRA McMAHON: So, insurance is absolutely a risk mitigation lever that companies want to leverage. And as I think about the last three years, the standards have gone up and the expectations, so there's a lot more information that we have to provide, and the insurance companies are looking to carve out certain things that they would not want to provide coverage for. And so, they're -- they're laser-focused on, you know, how do they ‑‑ when they provide their offerings, the premiums and what they're covering, there is a lot of focus on that. And so, we do a lot of work to make sure we are very clear on what our needs are and respond to all the questions that they have. But it has changed dramatically. There are some companies that aren't able to get insured because they just can't meet some of the requirements.

  

     >> SIOBHAN GORMAN: Yeah. I think it's changed pretty drastically. I mean, I remember three or four years ago, we were working an incident, and it was -- it was one of the earlier ransomware -- maybe it wasn't ransomware, it was just extortion types of incidents, and, basically, the company decided that they just needed to negotiate to get it just under what insurance would cover, which was a lot of money. It was like, you know, probably close to $20 million. I was like, wow, insurance is really part of the problem here. Like this is not okay that like you can just, you know, you're only going to negotiate that far, and then you're going to suddenly pay, and that just encourages bad behavior. Now it's like swung the whole other direction. And, I mean, I'm not in insurance, but one could assume that they, you know, insurance companies had to pay out a lot of money when they had sort of that kind of approach, when companies were taking that kind of approach to their coverage, and so they have really cracked down, and they've cracked down on, you know, how it is -- how much they're going to reimburse companies for their vendor consulting relationships, and companies discovered this after the fact. And so, they've got a bill, and all of a sudden, they have to pay like a much larger portion of that bill than what they ever expected just because they didn't fully appreciate how difficult it was going to be to get insurance reimbursement. And so, I think that having those types of conversations with your insurers at the outset and making sure you really understand what is and isn't covered is really important. And, I mean, it may be that you decide, well, that's okay, like they're only going to cover this portion, so we're kind of self-insuring or something like that, but you want to have that sort of business decision in your head before it happens.

 

     >> JOHN CARLIN: Great. We have reached the end of time. Please join me in thanking these panelists that have lived it, hopefully, so you won't have to.
  

     (Applause.)


Participants
John Carlin

Moderator

Partner, Paul, Weiss

Siobhan Gorman

Panelist

Partner, Brunswick Group

Brad Maiorino

Panelist

Chief Information Security Officer, Raytheon Technologies

Chandra McMahon

Panelist

SVP & Chief Information Security Officer, CVS Health


Share With Your Community