When a Breach Isn't All Bad: Making the Most of Adverse Cyber Circumstances

Originally published by CXO REvolutionaries.

Written by Ben Corll, CISO in Residence, Zscaler.

Would you do business with a company that’s recently been in the headlines for a data breach?

I would. Let me tell you why.

High-profile incidents are one of the most surefire ways to get companies to take cybersecurity off of the back burner and into focus for leadership. Breaches are commonly due to a lack of resources, whether that be skilled personnel, the right tools, or a lack of progress toward a mature cybersecurity program, as defined by NIST or measured against the MITRE ATT&CK framework, for instance.

Before a breach, many companies can’t imagine themselves being targeted – too small, not the right sector, or simply not on anyone’s radar they suppose. Because they do not believe they will be targeted, they don’t invest much in their solution sets. Top brass considers the time-tested cyber standard of endpoint protection tools (e.g., antivirus) and network-based firewalls sufficient to protect the organization.

Then, catastrophe strikes.

Suddenly, budget is discovered. Cyber risk mitigation processes are created, endorsed, and enforced from the top down. Skilled staff is hired, even if it’s in the form of an outsourced security operations center (SOC) or managed detection & response (MDR) solution. Security departments are given free rein to crack down on cyber workarounds. Cyber becomes an organizational imperative.

As with most popular memes, there’s more than a grain of truth to this one.

People used to say that the safest time to fly was following an incident. While there’s almost certainly no evidence for this (flying is among the safest means of travel), in my experience, it holds true for organizations following a breach.

For CISOs and their teams, this right-sizing of cybersecurity priorities is often a vindication of what they have long-argued: that a breach is a real possibility for companies of nearly any size, especially with financially motivated threat actors still willing to conduct “spray-and-pray” attacks. For senior leadership, it's a public relations nightmare and the moment cyber controls cross the boundary from theory to real-life consequences.

In either case, a recently breached organization often makes light years of progress in the months following the incident, sometimes to the point of implementing protection strategies that have them leapfrogging partners and competitors in their space.

Of course, no company wants to suffer a breach. After all, they’re expensive enough to sink many smaller organizations. Reputational loss is a real – if potentially fleeting – side effect. And a bungled response invites further blowback. But let’s be realistic. Absent the proper controls properly implemented, a breach is a near inevitability.

What truly matters is how an organization internalizes the lessons of its breach. What’s bad for a business can be a boon for its customers. Vigilance typically spikes following a cyber incident, and if that attention to detail carries forward into the future, it can be a turning point for businesses operating in an era of expanded digital presence and reliance on internet-enabled processes.

A post-breach future, in other words, can be bright. So rather than avoid doing business with an organization that’s just suffered some sort of cyberattack, I may see that as a reason to enlist its services.

Provided leadership takes the experience to heart.

Bouncing back from a breach

What’s a CISO to do the day after one of the most challenging of his or her professional career? The pocket book is now open, but nothing will clamp it shut quicker than an ill-conceived spending spree. So what now?

Some quick tips:

• Keep a level head – There’s a good chance you’ve prepared business cases and roadmaps that were not accepted. Dust those off and be ready to represent them to leadership. This may even be time to suggest revolutionary, rather than incremental change.
• Assemble your allies – You’re not in this fight alone. You have allies. Use them. Review the findings and recommendations from your incident response team. They likely will have recommendations for next steps.
• Evaluate your tools – This is the time to highlight missing pieces in your defenses. Don’t miss the chance.
• Share intelligence – Was a threat intelligence unit providing insights prior to the breach? Were these acted on? If not, now is the time to set up a program. You’ll likely have others testing your perimeter for weaknesses for the next few months. Pay close attention to these efforts.
• Learn from the experience – You have joined the ranks of the battle-hardened. You’ve been knocked down and you survived. Dust yourself off and be ready to go another round. You are now wiser and more experienced.
• Talk about it – Be willing to share your experiences with others. Present at a conference. You don’t need to hide and act ashamed. You’re not alone. You weren’t the first to be successfully attacked. You won’t be the last. Talk, share, and improve based on the feedback you receive.

We CISOs are the defenders, the protectors of our organizations. We may not be perfect. We won’t always be successful. But we can always keep fighting.