After you’ve discovered a breach, your IT (information technology) security department will be a flurry of activity. Most will center around the technical work that needs to happen to answer questions like: “How did this happen?” “What data was lost?” and “How do we fix it?” While your responders are getting you the answers, you’re going to want to know what’s going on. That’s sometimes easier said than done, so you’ll need a good internal communications strategy going in. Here are a few essential areas of focus:
Keep the Incident Responders on Task
As we have talked about in previous articles, this will be a stressful time for you. No matter if you are the business owner, CEO, or IT head, you will have a strong desire for up-to-the-second information so you can keep your bosses, boards of directors, shareholders, and yourself informed. But resist the urge for hourly updates. You can have your responders examining malware and analyzing packet captures (PCAPs), or you can have them writing updates, but you can’t have them doing both. I’d say you want them working to answer the most important questions.
Designate Who Will Be the Incident Coordinator
I suggest naming an incident coordinator. This person will be the source of information about the investigation. They will be who you call when you have questions, and they will be the person delivering your briefings and updates. More importantly, the incident coordinator will be a buffer between the outside world and your technical incident responders. It will be their job to field and triage requests for information and make sure the team is getting you the answers that you require.
There are several important qualities that you’ll want to look for in an incident coordinator. You’re going to want someone who can translate complex technical issues into language that the non-technical crowd can understand. A jargon-free, no-acronym experience is something that will make your life a lot easier.
You are also going to look for someone who has some writing skills. You do not need to find Hemingway’s incident-responder cousin, but you will want someone who can write in complete sentences, use punctuation, and generally make sense. You do not want to be on the hook for correcting those types of issues before you forward your update to whoever may need to see it in your organization’s chain of command.
Finally, this individual should also be someone with a firm, tactful hand. As we talked about above, this person will need to run interference for your team. They will need to turn away people so that the team can continue working. “People” may very well be you or your bosses, and you’ll want your coordinator to be firm and persuasive.
Agree on an Update Schedule
Since every breach is different, you’ll want to work out an update schedule with your incident coordinator. There is a modicum of comfort in being able to look at the time and know when you’ll have information coming in. During the first few hours of an investigation, you may want updates as often as every four to six hours. After the initial deluge of information that comes in at the beginning of most investigations, you will probably want to change that cadence to once per day. Then, as things move forward, you’ll want to consider adjusting every other day or even less often than that. You do not want your team or your coordinator sitting around trying to come up with stuff to say so they don’t have to report “no updates at this time.” And they will do that. I have done it. It is a complete waste of their time writing it and of your time reading it. Don’t fall into the trap.
Final Thoughts
Communication is an important part of a breach investigation. If your team is making discoveries and finding out key information, and you’re not receiving that data, or you can’t understand it, the long days that come with a response to an incident will seem that much longer. Get the right people, set the ground rules, stay informed, and you’ll successfully navigate your breach response.
Want more cybersecurity insights? Visit the Cybersecurity channel:
