less than 6.4 communicating to executives about the incident.
The objectives for this lesson are to identify the best practices when communicating cyber risk to executive leadership
and understand what items may be discoverable and how that may be considered when documenting incidents when you communicate with the board and with executives there, some best practices and also some things to be aware of.
First thing I want to talk about is the fact that some information may in fact be discoverable. And by discoverable, I mean, it could be turned over to another party during litigation. There was a recent court case where this was highlighted, where a report written by an outside consulting firm about some cyber information
was in fact deemed discoverable by a judge,
and that was handed over to, AH, attorneys that were suing that company over a data breach. So you do want to be careful about what is put into a report and what might be handed over if, in fact, your company is sued over the cyber incident that we're talking about,
be ready to anticipate questions from the board and from executives. Now this is different than the other questions. We've gone over quite a bit in this course, but this is more about the after action report in the final. The investigation's over. Things are back to normal. Now let's do this. Debrief
some of the questions they may ask you include. How much is this going to cost? And that cost is not just how much it might cost for the consultants that you brought in or the retainer that you exercised,
but just overall. What is the cost
for this incident to our business? What is the lost revenue as a result of the incident? If there was any, what is the cost that we need to invest in to fix whatever the problem was led to this, if that's appropriate, So just think about those numbers. What
was this due to our negligence? And this is especially a question you get from the board. If you are somebody who reports to the board.
Is were we negligent in any way in this, and if so, how in your opinion,
did we handle this correctly once it was discovered? These are not easy questions to be presented, but that's also why you need to make sure you have these ready to go and I would practice, have somebody ask you these questions and answer them a couple of times. He have your talk tracked down.
What are we going to do to prevent this from ever happening again
and make sure they would be careful with this one, Of course, answered the question. But in a way that you can't always say, Well, this will never happen again. If it was a user that clicked on a link that caused malware to download to their system and then it went off laterally because the adversary had a beachhead on that system,
I'd be very careful to say that's never gonna happen again. And I would make sure to talk about that, too. But you can say, Well, here's some things we can do toe greatly reduce the likely and we need to implement cyber awareness training. We need to have a gateway that scans all the links against into our users some sort of AH
security appliance that you might implement, whether it's through your firewall or your email provider
to make sure they're safe, we need to have a sandbox for things that come in to be run through and see whether or not their malicious before they actually are allowed to be clicked on by the user. So you could see where I'm headed with this, but have some answers like that ready to go.
But we really want to focus on the future instead of dwelling on the past. So what are those things we can do? And this is a great time. Say, Well, we've already thought about a lot of that. This is where we're at from a maturity standpoint, this is where we think we should be for our size of organisation. We've benchmarked ourselves across this industry.
Our budget is lower. Our staffing is lower. Our equipment is lower. Here's how we think we could get better.
Consider bringing in an outside consultant as well to talk through some of this. This really depends on your relationship with the board, whether or not they value U and they think you're an expert in your field. But sometimes it's difficult to be an expert in your own home, and you might need to bring somebody in from the outside to help talk through this.
Also, be careful about the amount of technical details. You'll quickly get them. You know their eyes to glaze over and the lose interest.
So focus on the mission or business and the risk, and talk about how you might be ableto improve those things and the impacts of this hat on the bottom line. And those kinds of things don't get into the weeds about the malware and vulnerabilities and all of that. Unless you happen to have a really savvy board that asks you to go there,
consider some ways to communicate with the board or executives in a graphical way that they will understand and latch onto. One thing I like to do is to put everything in some sort of a framework and then consistently reuse this framework as I talk. So people get used to my messaging and
they understand where I'm going with this.
The cybersecurity framework is a great way to do this. You see, on the left, I've got this five functions we've already talked through. Identify, protect, detect, respond, recover.
Then I have a little blurb about Well, this is our ability to manage cybersecurity, risk the systems, assets, data and capabilities under identify,
and I have one of those for each section. Then I've put where I think this organization is at red, yellow green, something that all board of directors and executives air very used to seeing on dashboards and then to the right. Here's how we're going to make us better.
So for identify, identify. I say we're green and I might have you know, some plans on there, but I'm not gonna dwell on that much because I think we're good. Where I'm really gonna focus is on the two reds and a little bit on the amber, the yellow on. That's where I want to say we're not so good at detecting clearly based on this incident, But we always knew we were
not great there. So here's our projects and plans that we have
in place or we would like to do if we could get the funding to make us better.
So be prepared for that. And then as you brief, hopefully you get in in front of these people more often. You can show the same graphic say OK. Last time I showed you this is where we're at now We are yellow for detect were still read for respond, but we're working it. We anticipate in the next month will have that up to yellow.
And then maybe we're gonna bring back those people that helped us with our maturity assessment
and confirm our belief that that's where we are.
All right. Quiz question for this lesson, true or false briefings to executive leadership or boards of directors should be highly technical.
That is definitely false. They're not gonna follow or want that level of detail, so keep it to mission business risk type of decisions.
So, in summary, we talked about the best practices when communicating cyber risk to executive leadership and what items may be discoverable and how that should be considered when documenting incidents.