LET'S TALK
Breach will occur

PART 3: EXCERPTS ON HUMAN PERFORMANCE IN CYBERSECURITY WITH DR. TAEHO KGIL

This is part three of our interview with Dr. Taeho Kgil. In part one we discussed the power of a trusted network in driving positive security outcomes. In part two, we discussed what makes an internal or external product launch stressful for the security team and what could be done to ensure a positive security outcome without the high-stakes high-stress. In this part, we talk about why being breached is stressful, what we can do to prevent stress from arising during a breach and finally what we can do to cope with the stress during an investigation.

A breach will occur, it’s a question of when, not if!

Most companies want to do the right thing after a security incident occurs. For companies operating in the USA, the US Security and Exchange Commission requirements on disclosing a cybersecurity incident is highly stressful.

Firstly, companies typically want to be transparent. However, the company may not accurately know what the impact of the incident is or what happened to the environment in the first 48 to 96 hours. It might take weeks to know and then it might take close to a quarter or even more to “fully recover”.

Then there’s the high stakes pressure of

  1. Communicating the issue
  2. Solving the issue
  3. Getting the right stakeholders involved if it affects profitability and business continuity

No one is fully prepared for such an event. They might be prepared for parts of a breach but not the full life cycle.

And that’s one of the major factors for so much stress: it rarely occurs but when it does, there’s so little time to accurately report and resolve the incident, and until the incident has been contained/recovered, there will be negative brand impact and revenue impact and if the security team does not do a good job, they might lose their job.

There are a couple of ways of reducing the stress and improving human performance here. The first is what is commonly known as Red Teaming, i.e., you attack your production environment, learn about your own weaknesses, from a technical, process and human level. The second is looking up to the military and running drill breaches. Cybersecurity breaches are increasingly being viewed as acts of war. Running through breach simulations on an annual basis can drill the necessary stakeholders about the people, processes, communication protocols and technologies to leverage when a real situation occurs.

However, not all breaches are catastrophic. And, not all cybersecurity teams are equally liable for a breach. Unless security engineering has built a really bad security mechanism, it’s the operational team that’s going to be questioned first.

A breach can be stressful, that’s why regulating our emotions and maintaining soundness of mind during this phase is key to containing stress and performing well.

One way of doing that is by synchronizing our psychology with reality. That means asking questions that bring us objectively closer to what the current situation is.

  1. “Are we still under attack?”
  2. “How much damage did we get that’s impacting availability of services?”
  3. “Are we following standard procedure?”
  4. “Is the environment contained?”
  5. “Is this catastrophic?”

Statements that are counter-productive in such situations for the security team are:

  1. “We lost this much, Oh My God!”
  2. “We need to do a better job of damage assessment, it’s going to impact …”

These might be natural reactions, and that’s okay. However, being able to clearly think out of the situation is important.

As a leader, you influence how your team performs in such a situation. The following are ways that have worked across multiple breaches.

  1. Expressing compassion: we are in this together, you are not alone.
  2. Sense of community: we are all impacted and we are going to get this done together.
  3. Workload management: remove tasks that can help focus on the current task, prioritize the tasks
  4. Health and Family check: Checking-in on how they’re holding up and that their personal issues or family is taken care of first
  5. Periodic communication: establishing a cadence to align and synchronize
  6. Semi transparent communication: sharing necessary information to align the team on what impacts the team and the immediate matter at hand
  7. Providing clear goals: chunking down a goal into atomic tasks helps drive focus and clarity