How to demonstrate leadership during a cyber attack: Three key areas to focus on

15 Jun 2020

By Richard Horne, Cyber Security Chair at PwC

A major cyber security breach is a leadership crisis as much as it’s a tech crisis. It’s unlikely that many employees will have previously experienced a significant cyber attack, so they’ll look to the C-suite for guidance and reassurance on how they should respond.

The coronavirus (COVID-19) pandemic has only increased the importance of strong leadership. Employees are working in unfamiliar situations whilst also facing huge changes in their personal lives. We’ve seen a rise in the number of high profile cyber attacks, many being ransomware incidents designed to paralyse business operations by encrypting critical data and any backups until a ransom is paid. And if you add in the possibility of new risks from businesses bypassing good practice in the rapid shift to remote working, it’s important companies are prepared should an incident occur.

While senior leaders can manage the risk from a cyber attack by taking steps to secure their organisation’s IT systems, they should have a thorough response plan ready in case a breach occurs. Below I’ve listed three key areas the C-suite should focus on to provide strong leadership during a cyber attack, along with aspects to consider in your planning.

Stakeholder management

In a cyber security crisis, especially one which requires a significant IT rebuild, senior leadership need to deal with the fallout while giving the organisation space to focus on getting systems secure and back online. A key challenge here will be managing different stakeholder groups. This could include clients, board members, shareholders and regulators, concerned about customers’ data being exposed.

Each group will have different priorities and expect frequent progress updates - made harder by current remote working meaning people can’t speak face-to-face and IT teams having to work through issues from different locations. IT teams can be shielded from this if there’s a clear communication channel between them and the crisis leadership. This helps ensure that the delivery team is clear on its priorities and empowered to ignore conflicting or time-wasting requests that come in via other channels.

Emotional resilience

It takes an enormous amount of emotional resilience to successfully lead an organisation through a cyber security crisis. Long hours, pressures to get systems back online and unexpected setbacks all take their toll. This is often exacerbated by recovery from a cyber attack feeling like it should be over quickly. It can take months to fully resolve a major breach, and it’s easy for senior leaders to get sucked into dedicating all their energy into fixing immediate problems each day and not think about their role or personal wellbeing in the long-term context.

Leaders need to guard against the psychological pressure of not wanting to be seen to be absent when everyone else is working hard. If they aren’t careful, they risk becoming less effective, or even reaching a personal crisis point if they don’t recover properly. They should set an example to others by taking regular breaks when possible to maintain efficiency and a clear head.

Adding to the pressure on leaders and perhaps most uncomfortable for some, is the fact questions will need to be asked about whether mistakes were made which led to a breach. Though difficult, these questions must be asked and action may be required to restore stakeholder confidence. However, it is always important to avoid rash conclusions being drawn in the ‘heat of battle’, and best wherever possible to address through a measured post-incident review.

Employee wellbeing

We often underestimate the stress that a cyber attack can inflict upon employees. For example, those who are loyal to the organisation will be emotional about the fact that it’s been breached, while IT teams might feel responsible for security failures. Companies who have been working hard to support customers during the pandemic could suffer a blow to morale if these efforts are compromised due to a breach.

There also needs to be recognition that employee wellbeing and morale will be impacted differently depending on their job role. Some parts of the organisation will be overworked, such as the IT and customer-facing teams, while others may be in limbo waiting for systems to come back online.

The C-suite needs to have a proactive approach to managing employee wellbeing and communications. On a practical level, this will involve having a plan to manage workloads and ensure people get proper breaks, potentially by calling on surge resources from third-parties.

I’ve only touched on three areas that senior leaders need to consider during a cyber security crisis – there are a huge number of other pressures that will need to be dealt with. That’s why a robust crisis response plan, agreed with key stakeholders is so critical. It means everyone knows their role and responsibilities, including the C-suite, so the organisation can focus on recovery.

Get in touch with Richard Horne to find out how we can help manage your cyber security strategy and design an effective response plan.