RSA 2024: How to Respond to an Active Data Breach

Consider the situation that Tim Crothers found himself in not long ago. The CISO of security firm Mandiant, which is owned by Google, was attending the RSA Conference 2023 when he received word that a hacking group, offended by a blog post that Mandiant had published about it, announced that it had successfully breached the firm and would shortly release the data it had stolen. The story broke around the time that company founder Kevin Mandia was about to deliver his keynote address.

It was a lie. “We knew we had not been hacked, but the situation sometimes is that you have to prove a negative,” Crothers recalled.

So, with the company’s crisis communications team, Mandiant officials ran through every scenario: What would they tell the public if the company had been breached? What would they say if they confirmed that there wasn’t a hack?

READ MORE: Experts share how to navigate the data-driven world of AI.

“The key here — and why the communications are so important for you as an organization — is that everyone is trying to assess whether you in fact have things under control,” Crothers said. “Whether it’s the regulators, your customers, your partners — all of them are trying to judge whether you’re on top of the situation or you’re at the mercy of your adversary, and so much of that perception will be based on how quickly you can respond with accurate information.”

Inform Business Leaders of the Cyber Risks They’re Taking

Crothers was at Mandiant until 2014, then joined Target as its senior director of cybersecurity to help rebuild its systems after its famous 2013 breach, before returning to Mandiant in 2021. Other panelists were John Carlin, a partner with the law firm Paul, Weiss, who has been counsel to several major companies that experienced breaches and was principal associate deputy attorney general of the United States until 2022, and Russell Ayres, who became acting chief security officer of Equifax shortly after the financial services company suffered a major breach. He is now deputy CISO there.

Carlin noted that tabletop exercises are critical, not only because they help companies game out their responses to different scenarios but also because they serve as tools for delivering information to senior leadership about the company’s readiness.

“The No. 1 mistake CISOs who end up losing their jobs and suffering personal consequences make is they fail to communicate across the business and legal divide, pre-incident, how different systems work and what the risks are,” he said.

Click the banner below to get started reimagining your workspace.

That failure often stems from security leaders not wanting to be seen as wet blankets on business success or innovation, Carlin suggested. That’s understandable, but when an incident happens, business leaders can feel blindsided because they weren’t well informed about the risks the company was taking on.

Tabletop exercises are also critical in helping companies endure the legal and regulatory consequences of a breach. Not only do they tend to help companies respond effectively, thus limiting the severity of most breaches, but they also serve as notice to regulators that the company takes security seriously. Regulators who investigate breaches “work the chain backward,” Carlin said, asking what system the failure occurred in, who oversaw it and what data was on it. Therefore, a good tabletop exercise should work similarly, “imagining that a breach has occurred and then using that optic to work backward.”

“Make sure you plan for it as if it’s going to be a catastrophe,” Carlin continued. “Do the tabletop with the CEO, CFO and general counsel, and make sure it’s in a language that they can understand so they can make the risk decisions. Your job is to tee it up; their job is to decide what risk to accept.”

DISCOVER: Build an agile and integrated cyber resilience strategy for your organization.

Map Out a Smart Crisis Communications Strategy

Another critical area that tabletop exercises help companies improve on is internal and external communication during a crisis. Companies experiencing data breaches are often asked questions by reporters that they’re not sure how to answer, or that may be based on a faulty premise. Equifax, for example, was asked why it had failed to pay its security vendor, which was not true.

“You’ve really got to have a smooth communication plan, because I have to pick up the phone and get the answer to that question, which never occurred to me before then,” Ayres said.

Whether certain internal emails and text messages are privileged or discoverable in a post-incident lawsuit or investigation is a complex issue, Carlin said, but those communications “legally have to be preserved,” and crises like these are exactly when “people get punchy.” So, “remind people to do smart comms,” he said. “What seems funny now will not seem funny two years from now when you’re in a deposition.”

Finally, Ayres urged audience members to be ready, as fellow security professionals, to help each other out in a crisis with guidance and their own experiences — and not to be afraid to seek help when they need it. In the middle of a cyber incident, Ayres said, “you’re going to think you’re likely not going to get through this, but the first thing to consider is you have friends in this group. It’s a close-knit group. Not only is it a small community, but you’ll realize that the same things are happening over and over.”

Keep this page bookmarked for articles and videos from the event, follow us on the social platform X @BizTechMagazine and join the event conversation at #RSAC.