Why the CEO and Board Need to Prioritize Security Crisis Management

By Robert Boyce


Cybersecurity Risk Management Online Article

Business decisions are hanging in the balance as the war in Ukraine challenges the status quo. It is no surprise, then, that well-established cybersecurity threats, such as ransomware, may not be at the top of the boardroom agenda now.

Yet the oversight could be costly—and not just financially. In its State of Cybersecurity Resilience 2021 research, for example, Accenture found that 20 percent of costs associated with ransomware and extortion incidents are attributed to brand reputation damage.

Business priorities are in the spotlight following any ransomware attack, and your security team should have an incident response plan in place that details how to get the business up and running again. But Accenture’s research suggests that the connection between business strategy and security efforts could benefit from being even more closely aligned.

Board members need to consider how the business currently responds to cyber crisis events and ask themselves:

  • Are we treating cyberattacks as “just a security problem”? Enterprise crisis response is a team sport, so your security team’s traditional cyber-incident response plans should evolve. A business-focused crisis management approach is necessary to deal with modern destructive events.

  • Are our crisis communications fit for purpose? Cyberattacks are complex, and existing crisis communications often lack the transparency and agility to deal with them. A predefined decision framework—coupled with a greater understanding of the industry, its regulations, and customers—can support more robust crisis communications.

  • How comprehensive is our approach? Think about your business and the business of others: as attack surfaces evolve, crisis response needs to extend to address impacts on customers, corporate subsidiaries, suppliers, third parties, investment portfolios, and mergers and acquisitions targets.

Buying In

Disruptive roadblocks such as pandemics and geopolitical issues aside, opportunity is knocking on the boardroom door. Recent times have shown us how business models can be reinvented, supply chains restructured, and increases in productivity made a byproduct of remote working.

Businesses have gained new momentum from this period of compressed transformation, and we’ve all been amazed by the scientific and technological breakthroughs that have made it possible. But perhaps most importantly, we’ve been shown how collaboration and communication make all the difference to the end game.

Because boards steer the business, their decision-making must be influenced by the right information. Having a holistic “bigger picture” means they can adjust the overall strategy to suit. In its State of Cybersecurity Resilience 2021 research, Accenture found that many organizations are already improving the C-suite channel to security teams—72 percent of chief information security officers are now reporting to key business decision makers, whether that’s boards (23 percent) or CEOs (49 percent).

As Accenture cyberthreat intelligence has identified, ransomware is anyone’s game and is proving to be easier than ever—now, you can buy access and malware and simply execute a ransomware attack. This means ransomware and extortion practices are growing—there’s a 107 percent year-over-year increase in ransomware and extortion attacks and 33 percent increase in intrusion volume from ransomware and extortion.

Below are three areas boardrooms should consider closing the gaps between the business and security:

  1. Introduce a “real-life” attack scenario. Ensure tabletop exercises with security personnel include executive-level simulations so that organizations can test their defenses against a typical ransomware attack. Imagine three lines of business are down due to an attack, with a threat actor asking for $10 million. You might need to determine in real time which business should be recovered, how to communicate your response, and who is responsible for making those decisions.

  2. Define a crisis decision framework up front. Identify decision-making thresholds aligned to the business strategy, the organization’s risk tolerance, its cyber communication strategy, and clear accountability for both technical and business decisions during a crisis event. Decision-making criteria should be reviewed and fine-tuned regularly to keep pace with organizational change.

  3. Document and use that framework. Shape the communication strategy and implement a balanced approach to threat containment and eradication by better preparing to speed up responses and ease the pressures of extortion demands.

With more agile, robust, and transparent crisis management capabilities, the CEO, board, and rest of the company can handle ransomware events better and improve overall cyber resilience.

Robert Boyce
Robert Boyce is a managing director in Accenture’s global cybersecurity practice.