What Should A CIO Do After You’ve Been Hacked?

What you don't do may be the most important thing
What you don’t do may be the most important thing
Image Credit: Cigac Semiárido

CIOs send a great deal of our time trying to secure the company’s networks. We invest in firewalls, two-factor authentication systems, and lots and lots of training for everyone in the company. However, nothing is ever perfect and despite our best efforts, there is still the possibility that hackers are going to be able to successfully gain unauthorized access to our networks. If that happens, CIOs are going to have to make some decisions about how they want to react. Lashing out at our staff whom we blame for allowing the breech to happen is one possibility, but probably not the best idea. What should a CIO do after the worst has happened?

We’re All Under Attack

CIOs have to realize that the immediate aftermath of a breach is the critical time for your hacked organization. If CIOs don’t learn quickly what went wrong and act swiftly – act in the right ways – to fix the problem, they risk exacerbating the damage in terms of both financial and reputational harm. I think that we all realize that cyberattacks have increased during the pandemic as a rush by businesses to digitize services and provide their employees with remote access has made their systems more vulnerable. And CIOs continue to make the same mistakes in their responses. What we need to understand is what to do, and not do, after a breach.

Steps To Take After You’ve Been Hacked

Once we’ve been hacked, we need understand that we don’t just need to fix the problem, we need to improve it. Many companies that have been breached jump into action by adding controls or software that defends against the type of attack they just suffered. The problem is that they don’t address their underlying vulnerabilities. The immediate aftermath is a time to focus on the fundamentals of how your company is being secure. Companies can avoid 99.9% of potential threats that they face if they were to just enforce a policy of doing the basic things correctly and in a timely fashion. This includes things like applying security patches and understanding which devices they want to authorize to connect to the network.

One way that a company can make itself more secure is by recruiting new employees with highly specialized security skills to bolster the company’s security processes and technology. They can also instill a focus on security as part of the culture of the organization. It’s important to note that companies can improve security in other ways, taking steps that reduce costs even as they bring their security up to date. Automation, optimization and moving to the cloud are all ways to mitigate systemic risks while driving greater efficiency and helping to bring costs down.

CIOs need to take a proactive stance by regularly using independent third-party penetration testing, hunt teams and audits to find and fix any issues before they have a chance to turn into problems. Such an approach is a great investment that CIOs can use as evidence that they are exercising due care and due diligence when it comes to security. The benefit of doing this is that it builds trust and confidence with customers, regulators, investors, partners and the public.

The one thing that CIOs don’t want to do is to play the blame game. At some companies, removing CIOs was seen as the best way to signal that the hacked company was implementing a change in strategy. However, such a move can have a chilling effect. CIOs understand that fear and uncertainty will not be your friend when everyone else is in the midst of trying to survive or recover. The loss of a security leader who may understand what happened better than anyone, and isn’t necessarily to blame, could be damaging to the IT department and the company.

After you’ve been hacked, you need to update policies and document changes. It is crucial to establish new security policies after a hacking incident and to document what went wrong and how it was fixed. When you know better, you should do better. Incident-response policies defining roles, responsibilities, action items and expectations demonstrate that an IT department has learned their lesson and will do better next time. Regulators and consumers want to see that CIOs took reasonable measures to contain, investigate and remediate the event. Realize that documenting changes is imperative not only from a regulatory perspective but also to ensure the system is threat-free again, without any backdoors. Taking such steps also can be a catalyst for measuring security effectiveness, something that a lot of companies don’t do. Most IT departments measure things like system uptime, patch and vulnerability data, and pen test results, etc. However, rarely do they correlate their metrics with the business metrics, i.e., those that add value to the organization’s core mission, nor use their data to determine the efficacy and the ultimate return on their investment.

After a hack has occurred, CIOs have to be careful to not send mixed messages. At the same time we do want to be transparent. We need to realize that for post-breach communications, honesty and transparency are often the best policies. It can be all too easy for a CIO who has suffered a ransomware attack, for example, to mischaracterize the attack as a “system issue” or “security incident.” We need to realize that inevitably an internal communication or source will leak, revealing what really happened. When this happens, it will create external confusion and making the CIO look like they aren’t being transparent or candid with their external stakeholders.

Finally, CIOs want to take the time to help others. We understand that there is a tendency to not talk about corporate breaches for fear of further reputation damage. However, being open and sharing lessons can help everyone in the security community. At the very least, if a CIO shares security knowledge with his suppliers, that can make them and the company itself safer. Rather than share their knowledge directly, most large companies typically set minimum cybersecurity standards they expect their suppliers to uphold to avoid being exploited as backdoors into the network. Let us agree that no breach is a good thing but there can be a silver lining: the chance to share insights that allow other companies to avoid a similar fate.

What All Of This Means For You

CIOs have the responsibility to make sure that we take steps to secure our company’s networks. Although we may try hard, there is always the possibility that we may end up getting hacked. If that happens, a CIO has to make some hard decisions about what to do next. If we are not careful, we may end up making bad decisions. We need to understand what the correct way to deal with suffering a breach is.

After you have been hacked, you need to react quickly. When we are hacked, we need to take steps to address the company’s underlying vulnerabilities. After a hacking incident, implementing automation and optimization can make the company more secure in the future. CIOs need to use independent third-party resources to test how secure their companies are. Firms need to make sure that the CIO is not held responsible for the hack. Policies and documents have to be updated after a hack occurs. Post hack, CIOs have to be transparent and make sure that everyone understands what happened. What we learn from being hacked, we need to share with other CIOs so that they can do a better job of defending their networks.

In a perfect world, CIOs would be able to secure their networks and they would never have to worry about getting hacked. Since we don’t live in a perfect world, there is the very real possibility that at some point in time you will be hacked. If this happens, you need to have a plan for how you want to react in place. Taking the correct steps after you have been hacked can go a long way in making sure that you won’t be hacked again in the future.

– Dr. Jim Anderson Blue Elephant Consulting –
Your Source For Real World IT Department Leadership Skills™

Question For You: Do you think that CIOs should make public announcements about the fact that they have been hacked?

Click here to get automatic updates when The Accidental Successful CIO Blog is updated.
P.S.: Free subscriptions to The Accidental Successful CIO Newsletter are now available. Learn what you need to know to do the job. Subscribe now: Click Here!

What We’ll Be Talking About Next Time

The one thing that all CIOs are required to do is to prepare for the future. This means that we have to take a look down the road, see what we think is coming, and then help our company to prepare for it before it arrives. It is starting to look like this thing called the “metaverse” might actually have some legs to it and if it does, then CIOs need to start getting ready for it today. Although creating an online world that people spend all or most of their day in may sound fantastic, this may come to be. CIOs need to understand that this kind of behavior may have an impact on the mental health of the people who work for us. How could it affect them and what can we do to prepare for it?