10 Cyber Incident Response Tips From Those Who’ve Had a Breach and Lived to Tell About It

In Commentaries and Analyses
May 11, 2024

Information Week recently reported on an interesting panel at the RSA conference in San Francisco:

Patricia Titus, chief information security officer (CISO) of Booking Holdings Inc., moderated the panel “Life After the Breach: A Survivor’s Guide.” The panelists included Tim Crothers, CISO of Mandiant; Russ Ayres, SVP and deputy CISO of credit bureau Equifax; and John Carlin, a partner at Paul, Weiss.

The panelists have extensive experience dealing with the aftermath of a cyber incident. Previously, Crothers worked for Target, joining in 2014 to help rebuild their security reputation shortly after their legendary 2013 data breach. Ayres was with Equifax during its 2017 data breach, which exposed the personally identifiable information of 143 million US consumers and 240,000 US consumers’ credit card numbers. Carlin served in the US Department of Justice as Acting Deputy Attorney General, developing DOJ’s ransomware taskforce, and contributing to the response to the incidents at SolarWinds and Colonial Pipeline.

The panelists’ recommendations are not technical ones about security but are more about communications and other aspects of incident response. Consider their first recommendation:

1. What seems funny today…isn’t

John Carlin: “You and your people are going to be working 24/7. That’s when people get punchy. You’re going to be using all these real-time communications — they get preserved, they legally have to be preserved. Make sure you do refresher lessons on ‘smart comms’ to remind everybody: What seems funny now, does not look funny two years from now when you’re in a deposition or up in Congress. That little reminder can save you and your company so much pain.”

That’s sound advice. To read the rest of their recommendations, see Information Week.