Mapping Leadership Talent To Cybersecurity: Part 5, Respond

It's time to break the glass -- don't just stand there, do something!

This is no time to find out whether your cybersecurity governance is adequate, or whether you have identified all the right assets, or whether your protection protocols are in place. Your systems have detected a problem and it's time for action.

Let's let Brendan discuss it:

Both the Respond pillar the Recover pillar are unlike the other three, they are triggered by an incident and different from the other steps because the other steps are part of normal operations. Respond and Recover also always happen in tandem, which is why we group them together as part of the Incident Response Plan (IRP).

The IRP formalizes incident handling, so that everyone knows what their role is in advance. The IRP covers both the Respond step (halting the problem and trying to restore normal operations) and the Recover step (undoing as much of the damage as possible, preventing a recurrence). The IRP gives us a Respond checklist, a Recover checklist, a review process which looks backward at what happened (the Incident Report) and which looks forward to improvements (the Recommendations).

What distinguishes Respond from Recover is the time frame: Respond is always urgent, perhaps even emergent. This is why the part of the IRP dealing with Respond is so important: in a crisis, people fall back on what they know. With a good IRP, everyone knows the following about the Response:

Who is in charge of what; this is crucial to acting with both rapidity and effectiveness.

Who is part of the response and who is not: too many cooks in the kitchen is a problem to be avoided

What the lines of communication are: you need a quick, authoritative and correct answers

In the real world, the IRP will not solve every problem, nor will it answer every question. Every incident is a learning experience. The goal is to avoid re-learning what you should already know and to avoid learning things you could have foreseen.

In particular, Respond is not a good time for philosophical debates about the relative value of, say, getting back to normal operations versus ensuring that the incident does not reoccur. This is part of the reason that it is so useful to know who is in charge of what: when Ops screams for uptime and Cybersecurity demands downtime, someone has to avoid deadlock by making a decision.

The balance is responding adequately and effectively. You can't unplug completely; people still need access.

We've profiled strong cybersecurity leaders as part of our assessment development process working with Conchie Associates. Here is one surprising finding: even among highly talented cybersecurity leaders, there are areas where they excel and areas where they struggle.

Here is our take on Respond for a cybersecurity leader:

RESPOND — Incident Management, Command & Crisis Communication

The RESPOND function is the most time-pressured CSF function. Everything happens in real time under stress.

RESPOND performance depends on a cluster of themes:

• Assertiveness (decisive command)
• Catalyst (rapid organizational mobilization)
• Flexibility (real-time plan adaptation)
• Credibility (stakeholder trust during crisis)
• Responsibility (accountability through post-incident documentation)

There are some obvious and subtle patterns in these themes. Your own accountability as a leader is on the line. Your team will mobilize because they find you credible; sure, you can light a fire under people's butts but unless you plan on fueling that fire it dies out. Also, you are the leader the entire organization looks to for answers, and you either get the credit or the blame.

A subtle pattern you see here is that there is adaptation and mobilization of a plan. That plan has been tested and validated. It's behind that glass door for times like these. First your process verifies that you need to break the glass and that it's not a false alarm, then it's 'go' time. Finally, as the nature of the threat shifts, the response shifts into new phases.

Even among our sample of highly talented cybersecurity leaders, people with decades of multi-national experience and success, this is one of the hardest CSF areas relative to its talent composition.

Here is how our report describes our most talented assessee for this area:

"[The assessee] combines exceptional Assertiveness, high Flexibility, high Credibility, and high Sophistication. His profile is arguably the most natural incident-commander signature in the cohort."

Here is the second-most talented assessee -- loaded with talent, but note the style the assessee brings that might need mitigation:

"[The assessee's] exceptional Credibility means stakeholders will trust his voice during a crisis: regulators, legal counsel, board members, and the public will believe the face of the response. His high Responsibility is operationally consequential for the post-incident accountability and documentation dimensions of RESPOND. Exceptional Logic supports analytically grounded response decisions, and exceptional Belief supports principled handling of incidents involving ethical or legal complexity. However, his low Catalyst score is the dominant operational constraint: he is unlikely to mobilize the organization at incident onset, and his moderate Assertiveness means decisive command during rapidly escalating moments may be inconsistent. [The assessee] is therefore a strong post-detection RESPOND leader -- credibility, principled judgment, and accountability discipline -- but not a natural incident-mobilization leader."

What about lowest-scoring assessee? 

"[The assessee] rates Limited on RESPOND — Credibility and Flexibility are solid, but moderate Catalyst and Assertiveness combine into a profile that will struggle to mobilize and command. For RESPOND-heavy roles, [the assessee] would require extensive operational scaffolding."

Let's recap. Among these three highly successful assesses, each of whom has significant talent in some areas of the CSF, even slight gaps can be a problem with RESPOND.

What do we do about this?

We have a strong belief that part of an organization's success requires excellence in human capital identification, accession, and developing. You cannot be a world-class cybersecurity program without world-class practices. Response is necessary at all levels of a cybersecurity program. You cannot outsource it, you cannot think it won't happen to you, and your career is defined by how well you manage it regardless of your other talents. 

While other CSF pillars are easier to see on the resume, Respond might be what we refer to as your "hallway file" -- how you are, how you treat others, how you work when it seems no one's watching or you're "off-duty."

The entire response plan needs to be developed, articulated, practices, and if necessary enacted. It ends with the final CSF phase, Recover.

It's called talent and it's not on the resume.

Ask us how you can measure whether your cybersecurity leaders have the talent they need -- and what to do if they need more of it.

(image credit: Bigguy637, CC0, via Wikimedia Commons)