Cloud CISO Perspectives: How boards can help cyber-crisis communications

Welcome to the first Cloud CISO Perspectives for October 2023. This month, I’ll be discussing the increasingly-important (and often undervalued) organizational skill of crisis communications — and how boards can help prepare their organizations for the inevitable. Effective crisis communications was a central pillar of our third Perspectives on Security for the Board report, published last week.

As with all Cloud CISO Perspectives, the contents of this newsletter are posted to the Google Cloud blog. If you’re reading this on the website and you’d like to receive the email version, you can subscribe here.

Boards of directors serve in oversight capacities to assure their organizations are ready to handle security incidents, and a big part of this includes cyber crisis communications. I believe that a board that can help its organization prepare for worst-case scenarios is taking part in preemptively reducing the impact of those scenarios.

Effective crisis communications can create a vital lifeline to continuity of business efforts and can help minimize the impact of a cyber incident. Of course, it’s crucial that organizations have timely detection, containment, eradication, and recovery capabilities. Yet just as important is training in advance the organizational muscles needed to communicate quickly and effectively with stakeholders, customers, and the wider public during a cyber-crisis, maintaining and possibly even improving trust.

A swift and coordinated response to a crisis is imperative. Social media platforms, official statements, and regular updates shared across multiple channels are all crucial components of a successful crisis communications strategy.

In our most recent board perspectives report, we shared lessons learned from Mandiant’s Crisis Communications response specialists’ first-hand experience addressing cybersecurity crisis communications. Their guidance below covers key questions to ask of your C-suite, IT, and security leadership, and four key phases of the crisis communications response.

This foundational phase is an essential activity for all organizations, regardless of size, sector, or location. The approach to planning should be customized to the organization, providing a written and repeatable plan with clearly defined roles and responsibilities, a governance structure with formal decision authority levels, and a framework for response.

The crisis response team should include representation from across the organization. You can’t anticipate what you’ll need, especially when it comes to provisioning hardware, disseminating actionable intelligence, and conducting insightful data impact assessments. The team should also implement a governance and management model, with specific working groups aligned to functional responsibilities.

The second phase, also part of the pre-breach response, is the “Assurance” or exercise phase. During this phase, organizations should exercise their team’s response based on real-world attacks and scenarios. Some states have even moved to mandate this as part of the board response. Regularly conducting cybersecurity tabletop exercises and crisis simulations can significantly enhance your preparedness. These exercises not only help refine incident response processes, but also provide invaluable experience for organizations in managing real-world scenarios.

Response execution will be defined by the priority and attention you put into the first two phases. When the day comes, it is imperative that organizations are able to quickly spin up their teams for response. Actions taken during the first two phases should have helped delineate roles and responsibilities, and should have helped establish a working governance structure to guide the response.

Response teams will be able to organize the requisite information exchange sessions, and track the action items and tasks. They will have already mapped their stakeholders and communication channels, and be able to quickly assess channel readiness. The smoothest and most-effective responders are usually those who are well-trained, well-equipped, and have pre-staged the requisite tools ahead of time.

Emotionally and operationally, managing a breach can exact a high toll on those who’ve lived through it. Many people never want to talk about the incident again. However, as difficult as it may be, it's important to complete the post-incident review. This phase starts just as the dust settles — the investigation is complete, the remediation activities restored business

operations, and notifications have been made to regulators or victims. Some may also call this the “After Action” or “Lessons Learned” phase, and second to planning, it is one of the most important phases.

You can hear more frontline stories of how Mandiant Crisis Communications supports organizations who’ve been breached in this podcast.

Because of its oversight position, the board is well-suited to helping to craft a multifaceted approach that intertwines robust technical defenses and crisis communications strategies. This integration creates a better foundation to safeguard your organization’s digital assets and reputation. Key questions that boards should ask their C-suite, IT, and security leadership include:

• What is your role in the event of a cyber incident?
• What are your organization’s regulatory and legal reporting requirements when it comes to an information security, data, or privacy incident?
• How will you be contacted in the event of an incident, and what is your process to authenticate the communications?
• Do you have a secure method to share and receive communications related to an incident?
• How often are you receiving regular threat intelligence briefs that will help inform your risk-based decision making?
• Have you confirmed your organization has cyber incident response plans, playbooks, and documentation?
• Are you participating in executive tabletop exercises?

The critical role of communication in managing incidents can not be overstated for business leaders. As we navigate an ever-changing and complex business landscape and risk environment, the ability to respond swiftly and effectively hinges on our communication strategy. Timely and transparent internal and external communication ensures the safety of employees and assets, and safeguards an organization’s reputation and stakeholder trust.

Each board member should champion this cause within their respective spheres of influence, encouraging a culture of open and effective communication at every level of the organization. Adopting and training a crisis communication strategy as a team can help mitigate risks and create opportunities for growth and innovation. Organizations can often emerge stronger and more resilient to face their future challenges.

Here are the latest updates, products, services, and resources from our security teams so far this month:

• Google mitigated the largest DDoS attack to date, peaking above 398 million rps: Google Cloud stopped the largest known DDoS attack to date, which exploited HTTP/2 stream multiplexing using the new “Rapid Reset” technique. Read more.
• How it works: The novel HTTP/2 ‘Rapid Reset’ DDoS attack: Learn how the new DDoS attack technique Rapid Reset works, and how to mitigate it. Read more.
• How Sensitive Data Protection can help secure generative AI workloads: Here’s a data-focused approach to protecting gen AI applications with Google Sensitive Data Protection, along with some real-life examples. Read more.
• Reddit uses Web Risk to protect users against phishing, malware, and social engineering: To keep Reddit a welcoming and real space for users, Reddit used Google Cloud’s Web Risk API to evaluate URLs in user-generated content at scale. Read more.
• Introducing Google Cloud Firewall Plus with intrusion prevention: This update to Cloud Firewall Plus provides protection against malware, spyware, and command-and-control attacks on a customer’s network. Read more.
• Deliver and secure applications in less than an hour using Dev(Sec)Ops Toolkit: The Dev(Sec)Ops toolkit helps customers accelerate the delivery of internet-facing applications with Cloud Load Balancing, Cloud Armor, and Cloud CDN. Read more.
• Manage infrastructure with Workload Identity Federation and Terraform Cloud: Terraform Cloud workspaces integrate with Workload Identity Federation to authenticate and then impersonate Google Cloud service accounts. Read more.
• Introducing Advanced Vulnerability Insights for GKE: Artifact Analysis in partnership with Google Kubernetes Engine has introduced a new vulnerability scanning offering called Advanced Vulnerability Insights. Read more.
• Additional signals for enforcing Context Aware Access for Android: BeyondCorp Enterprise, Workspace CAA, and Cloud Identity can now receive critical Android device security signals for both advanced managed devices and, for the first time, basic managed devices. Read more.
• reCAPTCHA Enterprise and the importance of GDPR compliance: Google Cloud reCAPTCHA Enterprise can help businesses comply with GDPR by securely processing personal data to customer instructions. Read more.

• Assessing North Korean cyber structure and alignments in 2023: North Korea's offensive program continues to evolve, showing the regime is determined to continue using cyber intrusions to conduct espionage and financial crime. Read more.
• Analysis of time-to-exploit trends from 2021-2022: Mandiant Intelligence analyzed 246 vulnerabilities that were exploited between 2021 and 2022, and found that the number of exploited vulnerabilities each year continues to increase, while the overall times-to-exploit is decreasing. Read more.

• Ask us anything, 2023: Where did the “3 a.m.” cloud security test come from? What’s your security “secret origin”? Hosts Anton Chuvakin and Tim Peacock get personal in this year’s podcast AMA. Listen here.
• Coast to Coast, 2015 to 2023: Cloud security ch-ch-changes: From an east versus west cloud CISO mentality to how cloud security has changed since the formative year of 2015, Anton and Tim look for clues to the future of cloud security in its deep dark past, with Jeremiah Kung, global head of information security, AppLovin. Listen here.

To have our Cloud CISO Perspectives post delivered twice a month to your inbox, sign up for our newsletter. We’ll be back in two weeks with more security-related updates from Google Cloud.