We are all aware that a cyberattack can take a heavy toll on an organization’s financial and reputational status, but what about the emotional toll on the employees who have had to work through it? Recently, we addressed the human side of surviving a cyberattack on The Cybersecurity Simplified Podcast.
We interviewed Ed Vasko, Director at Boise State University’s Institute for Pervasive Cybersecurity, who has spent 30 years in the cybersecurity industry both as an entrepreneur and educator, helping organizations put cyber programs together. Carol Barkes, an expert on neuroscience-based conflict resolution and communication at Boise State, is a former firefighter and first responder.
Vasko and Barkes researched the challenges and stressors that cyber first responders go through and the similarities between physical world first responders and cyber first responders look like. They also studied the response of the C-suite during a cyber incident. What are executives going through from a neuro perspective and how can cyber professionals, best respond to C-suite stressors?
The Science Behind a Cyber Incident
98 to 99% of our day-to-day thinking happens unconsciously. Our brain knows what’s going on, but it filters information and then pops out information that we claim as our own, but it’s really been percolating under the hood for quite some time. What happens is when we are stressed, that 1 to 2% that normally is our genius decision-making part of our brain is actually shut down by a part of our brain called the limbic system. These two little parts of our limbic system called the amygdala are where our fight or flight responses come from. Since speed is essential for our survival, we respond to threats the same way as cavemen did try to escape warring tribes or saber tooth tigers. It becomes all about speed and it’s all about reaction. The problem though is, we shut down. All the things we know to do, go out the window. We overreact and don’t necessarily make the most brilliant decisions when we are faced with stress.
“How do we minimize that fight or flight response for everybody that’s involved in having to mitigate this cyberattack in a way that helps us be more productive?”
-Carol Barkes
The CISO Perspective
“I have seen the fight or flight when an event happens, and even amongst tenured, experienced cybersecurity professionals, when crap hits the fan, everything goes off the table and all the professionalism and all the courtesy is immediately out the door.”
-David Barton
In the C-suite of any organization, the job with the least amount of average tenure is a CISO. They tend to stay in their roles for two and a half years on average. It is because they have one of the hardest jobs out there. In many cases, they don’t sleep much; they work round the clock.
Source: Twitter
Why Develop an Incident Response Plan
When an organization experiences a breach, everyone is looking for who to hang this on—am I going to lose my job? Is it going to be somebody else’s job? Where is it at? In essence, this “pass the buck” mentality compounds the problem. Now the problem isn’t just the breach, there is in-fighting about the breach, which creates a secondary negotiation and issue at hand. The human brain is not good at multitasking both the breach and the stress of potentially losing one’s job.
What to Include in an Incident Response Plan
1. Create a teamwork mindset and culture
Your messaging should be “we’re all a team, we’re going to get through this!” During a breach, the storyline should not be that one person is the problem or is at fault. The problem is the breach. Everyone is on the same side of the table. Everyone is doing their best.
2. Create a schedule to allow others to rest
Research shows as humans, we need about seven to nine hours of sleep. When you lose that in one night, you lose your cognitive capacity by 30%. If you lose it a second night, it drops 60%.
It takes about a week on average to recover. When you need to have every part of your brain functioning to resolve the incident, having a preset schedule allows everyone, regardless of roles, to get some rest. Another important thing that happens with sleep is our brain consolidates neurons and information, so we take what we’re bringing in with what we already know. If we don’t give our brain a little bit of downtime, we’re losing the opportunity to use that 98- 99%.
3. Include the C-suite when creating your Incident Response Plan/Tabletop Exercise
The lack of inclusion of the C-suite can oftentimes create more issues for the team and more issues for the cyber leader. Ultimately, you end up in a position where the C-suite moves into a panic state because the thought process is not necessarily on the breach at that moment or how to work as a team; the thought process is reputation, shareholder impact, financial risk, etc. Their panic turns into anger and then to grief. Somewhere in that process, there will likely be some level of overreaction.
The C-suite can have such a ramification and impact on the team itself during these stressful situations.
“It is vital for the team to get the C-suite delegates – COO, CFO, CEO — out of the real intensive emotional environment of a breach.”
-Ed Vasko
4. Connect the dots
All humans have this tendency that if we don’t have all the dots connected, we go and create evil plot twists. It is so important to connect the dots for everyone, whether they are our shareholders, stakeholders, or the management team. We want to connect as many dots as we can.
“Even if those dots say, ‘We don’t have all the answers to all those dots, but here’s what we’re doing,’ it helps people from overreacting that, ‘Oh my gosh, we’re going to dump these shares’ or, ‘Everybody’s fired,’ or what have you.”
-Carol Barkes
5. Communicate, communicate, and communicate
A cyber incident is not a time to stop communicating. This is a time to over communicate. Share what happened and what steps you’re taking and what to expect in the coming hours/days. Create a communications plan that says, when this happens, this is what you can expect to have unroll, to prevent knee jerk fight responses.
6. Channel Mother Teresa
If someone is in a fight or flight situation, you will likely see anger or intense emotions. Channel your Mother Teresa or Gandhi. In the neuroscience world, there’s a term that those who have control of their emotions, win. Try to help de-escalate the situation versus going head-to-head with them.
Companies need to have a plan around the emotional toll it takes on employees during a breach. Part of the plan should include how to deal with their mental state:
-
- How to prepare your team when fight and flight happens to respond?
- How do we get them out of their own way? Because even the most experienced security practitioners will forget all the stuff they’ve been trained to do when it’s just a matter of survival.
Meet the Experts
Ed Vasko, Director of the Institute for Pervasive Cybersecurity.
Edward Vasko, CISSP
Director, Institute for Pervasive Cybersecurity
Edward Vasko comes to Boise State with 30 years of experience as both a cybersecurity business executive and entrepreneur. Prior to joining Boise State, Edward established and was a Senior Vice President at Avertium, a leading national managed security and consulting provider. Before Avertium, he was the co-Founder and CEO of Terra Verde, based in Phoenix, Arizona. Edward grew Terra Verde into Arizona’s largest provider of cybersecurity advisory and managed security services, with over 2,000 active clients around the world. A successive entrepreneur, he has started and run five businesses, all in the cybersecurity industry.
Karol Barkes, Conflict & Communication Consultant | Speaker | Trainer
Carol Barkes
Conflict & Communication Consultant | Speaker | Trainer
Carol Barkes holds an MBA in Negotiation & Conflict Management; a BBA in Global Leadership & Influence; an AA in Fire Science; and is currently pursuing a PhD in Peak Performance Psychology with an emphasis in Neuroscience Conflict Resolution.
As an innovative conflict resolution expert in the ground-breaking science of neuro mediation, Carol’s passion is conflict resolution with optimally successful results. Her process includes coaching and educating individuals and business executives, HR departments, court systems and anyone stuck at an impasse. She mediates hundreds of cases annually with an industry-leading 90%+ resolution rate. Barkes is well-versed in the latest neuroscience techniques that create productive change in the most compassionate manner possible. She is an avid and experienced public speaker and published author.
