Why CISOs are Prioritizing Business Incident Response in 2024

As we enter 2024, several of the latest industry insiders, reports, and predictions have made it clear that cybersecurity incident response is top-of-mind for leaders at organizations of all sizes and across all industries. Recent high-profile breaches, new regulations, and the ever-evolving threat landscape lead to an extraordinary eight incidents per day globally in 2023, and have put immense pressure on CISOs to strengthen their security postures. Incident response is a key area that clearly should be a major priority for CISOs this year. CISOs, however, need to shift their mindset from the legacy incident response approach to the emerging business incident response paradigm.

Business incident response refers to an organization’s ability to quickly detect, respond to, and recover from a cybersecurity incident as a whole, while meeting all external reporting and communication requirements and minimizing business disruption. Unlike traditional cybersecurity incident response which focuses largely on the technical and security aspects of incidents, business incident response takes a holistic approach that involves coordination across the entire organization–from IT and security teams to legal, PR, customer service, compliance, leadership, and many other business functions.

Beyond the fact that about 70% of the cost of an incident is from outside the security team, there are several reasons why beefing up business incident response is a priority for CISOs in 2024.

Evolving Regulatory Landscape

New regulations, such as the SEC’s cybersecurity risk disclosure rules, NYDFS Part 500 updates, and Europe’s NIS2 directive, amplify reporting obligations for organizations dealing with breaches and incidents. Failure to promptly report a cyber incident can result in significant fines, emphasizing the need for robust business incident response processes. For instance, the SEC mandates public companies to report material cybersecurity incidents within just 4 days, leaving minimal time for investigation before informing regulators. Similarly, NYDFS Part 500 extends incident notification requirements for financial firms, and Europe’s NIS2 mandates reporting timeframes based on incident severity.

The strict reporting deadlines imposed by regulators will force companies to rethink their entire approach to incident response. No longer will organizations have the luxury of taking weeks or months to thoroughly investigate and remediate an incident before notifying authorities. Nor will they be able to operate with the failing paradigm of “write nothing down,” as it’s now critical to be able to demonstrate a cogent analysis and repeatable process for every incident. As the SEC’s new cybersecurity rules demonstrate,  incident response records are now audited like financial records.

Meeting these requirements dictates having an agile business response plan that can rapidly assess incidents and determine if they meet the threshold for reporting. Companies will need to make decisions faster while coordinating smoothly across security, IT, legal, executives and PR to inform regulators and issue public disclosures within the mandated time frame. For CISOs, enhancing business incident response will be essential to complying with accelerated reporting rules.

CISO Personal Liability

With the conviction of former Uber CISO Joe Sullivan and charges against SolarWinds CISO Tim Brown, it seems many CISOs are realizing they can be held personally liable for improperly handling cyber incidents. The precedent set by the Sullivan and Brown cases have put CISOs on high alert about their potential personal liability. Beyond financial penalties or career implications, CISOs now face potential criminal charges and jail time for inadequately responding to and reporting incidents. And other C-level executives are in-scope for being personally liable. 

In addition, whistleblowers are a real internal threat, with regulators running very successful programs enticing insiders to report on their teammates and company. This has created an atmosphere of greater stress and even fear among CISOs. CISOs now appear to be (rightly) worried about going to jail or paying large personal fines for a poor incident response. To cover themselves legally, security leaders must prioritize business response plans tailored to their company within the framework of detailed yet repeatable procedures, with defined staff roles and responsibilities. 

To that end, many CISOs are shoring up their own programs, instilling comprehensive business response plans that demonstrate due care and adherence to regulations. CISOs want clearly defined playbooks that outline exactly who does what during incidents so there are no questions later about how events were handled. Protecting their own reputation and freedom will drive CISOs to make business incident response a top priority moving into 2024.

Shortened Reporting Timelines

The escalating demand for rapid incident reporting by regulators has trickled down to requirements from customers, partners, and cyber insurers. Organizations are under increasing pressure to notify these stakeholders swiftly, with some timelines as brief as 24 hours. For customers and partners, in many cases this is driven by their own regulatory deadlines–in some cases, their notification timeline starts when the incident begins, not when they’re notified, so they must move even faster than if it’s their own incident.

Similarly, cyber insurers are working hard to reduce costs from expensive cyber insurance claims. Many insurers are adding stringent requirements, such as requiring a very rapid notification in order for a policy holder to maintain a claim, as short as 24 hours. If a company loses track of this requirement in the chaos that is typical early on in an incident response, they may lose their ability to get paid out from their cyber insurance policy later. Given insurance is frequently used to mitigate risks that cannot be addressed through other means, maintaining the ability to make a claim is crucial.

Failing to promptly report a cyber incident clearly has significant consequences now across multiple axes. This has created mammoth new pressure on security teams. 

Core Requirements Remain

Of course, the core and more traditional areas of business incident response remain, such as continuing to focus on these areas to remain prepared:

Reducing Business Disruption

Cyber incidents can significantly impact business operations resulting in lost revenue, productivity, and customer trust. During major incidents, organizations often struggle to maintain business continuity while investigating and containing the event. Having an effective business response plan minimizes downtime and disruption across the organization. It gets teams collaborating quickly to keep the lights on while tackling all aspects of an incident. 

Business disruption directly translates to monetary losses due to decreased sales, reduced productivity, and reputational damage. An organized business response plan institutes procedures for quickly mobilizing cross-functional teams to assess and manage disruptions. Predefined playbooks designate which business units are contacted, how staff are notified of disruptions, what recovery processes are triggered, and how customers are updated. Smoothly executed business response keeps an organization operational while dealing with the root cause. As business disruption poses increasing financial risk, reducing it through solid incident response should continue to be a, if not the, top priority.

Improving Communications

During major incidents, many organizations struggle with communicating effectively across teams and to external stakeholders like customers. Clearly defined business response plans institute communications procedures like informing internal stakeholders, protecting attorney-client privilege, notifying customers if needed, dealing with media inquiries, and providing status updates. Ineffective communications during an incident can significantly worsen its impact. When inter-departmental teams don’t collaborate seamlessly, when executives are caught unprepared, or when customers are left in the dark, it erodes trust and amplifies disruption. 

A detailed business response plan designates communication owners, establishes status update cadences, provides sample press statements and customer notices, and practices these plans during exercises. Regularly rehearsing these communications procedures through response simulations helps hone an organization’s incident messaging strategy and enables continued readiness to flexibly respond to incidents.

Security Infrastructure & Architecture

In addition to having robust incident response plans in place, organizations must also continue to invest in their overall security infrastructure, tools, and architecture. As threats continue to evolve, security teams cannot become complacent with their existing controls and technologies. They must maintain adequate resources and training for upgrading tools, adding new capabilities, and keeping pace with technological advancements necessary to maintain a secure infrastructure for their products, processes, and people.

Investing in security doesn’t just mean investing in tools, but also integrating security deeper into architecture and application design through practices like DevSecOps and security by design proactively. This approach allows controls and security to be embedded earlier in the development lifecycle, creating a layered defense that makes it easier to maintain a secure presence and significantly reducing security costs later. Teams and companies that make smart, sustained investments in their security stacks and architecture will be better positioned to face the threats of today and tomorrow.

Enhancing Recovery Capabilities

Recovery is often one of the last considerations when planning for incident response. Companies need to update their incident response strategies with a focus on recovery, starting with proactively identifying critical systems and data that should be backed up and restored quickly after an incident. Defining recovery time objectives (RTOs) and recovery point objectives (RPOs) is a key step in successfully ensuring the proper systems and related processes are prioritized for restoration during an incident to minimize lasting damage to business operations. Business response plans ensure there’s a proper focus on getting the organization back up and running quickly post-incident. Testing and continuously improving recovery procedures will make organizations more cyber-resilient in 2024 and beyond.

Getting Started

With these factors in mind, what should organizations focus on to build effective business incident response capabilities for 2024?

First, every organization should have response plans and playbooks in place that cover the breadth of incidents they are likely to face. The legacy approach–a single paper plan or policy–does not cut it these days. Your plans and playbooks need to outline:

• Internal processes across the business
• The roles and responsibilities of all teams
• Communications procedures
• Integration between the technical response and other teams
• Regulatory readiness
• Recovery procedures

Ensure everyone understands their part, from security and IT to legal, your business units, communications, customer service, and your leadership and board.

Of course, simply having a plan isn’t enough, even a robust one focused on the entire company. Regular response exercises are crucial for training staff and identifying gaps in the plan. Practice of all sizes, from scoped simulations to executive tabletop exercises, of various incident scenarios allow organizations to practice response coordination across teams before facing a real incident. Start small, with a focus on short exercises based on common, smaller-scale incidents that can educate the security and IT teams, pulling in legal where appropriate, and reinforce the use of plans and playbooks. Then work to expand across the business, educating business units and communications eventually leadership and the board on the value of business incident response.

Proactive Business Incident Response

Taking a proactive approach towards cybersecurity incident response is crucial in the face of persistent threat actors achieving success in breaching organizations worldwide. Instead of relying on ad hoc approaches and waiting to figuratively “take it on the chin” when an incident occurs, developing a business incident response strategy ahead of attacks is critical. This proactive approach forms the foundation of a strong security posture, decreases the likelihood and impact of security breaches, and facilitates a swift recovery when incidents occur.

While implementing an effective incident response program may seem challenging to many, the integration of modern technology automation, such as the BreachRx incident response platform and Cyber RegScout™, empowers cybersecurity teams. These tools enable teams to move away from a single written incident response plan and easily design tactical, operational, and strategic approaches for handling incidents. By leveraging libraries containing compliance tasks, regulatory requirements, and playbooks tailored to common incidents, these advanced technologies streamline incident response strategies and assessments. The result is not only significant cost savings but also a faster alignment with global cybersecurity frameworks. These platforms foster team collaboration, mitigate the consequences of incidents, and expedite the overall operational response process. In essence, automation allows teams to proactively prepare and then decisively prioritize and resolve security incidents as they arise.

With regulatory pressure mounting, short notification timelines, and CISO liability rising, putting an increased focus on incident response is already crucial for security leaders. Having robust business incident response capabilities makes the difference between organizations that weather incidents with minimal disruption versus those that suffer significant financial, operational, and reputational damage. If CISOs haven’t already started getting prepared, they need to double down on this new paradigm to ensure their organizations remain secure and compliant moving forward.