David Estlick, chief information security officer of Chipotle Mexican Grill joined James Christiansen, vice president and CSO of cloud security transformation at Netskope, to speak about managing corporate expectation. (Photo by Steve Dykes/Getty Images)
A potential data breach inside an organization typically brings demands from top executives for answers, often before security teams can provide any. Security professionals should proactively set expectations: most of the initial details will probably be bad, though also imperfect, and a lack of information can sometimes be a good sign.
Such was the recommendation from a pair of panelists speaking Monday at the 2021 RSA Conference – David Estlick, chief information security officer of Chipotle Mexican Grill and James Christiansen, vice president and CSO of cloud security transformation at Netskope.
Click here for more coverage of the 2021 RSA Conference.
“In the first hours you’re going to get 100 phone calls from every person with a letter before their VP – so your executive VPs or senior VPs, your management, leadership team,” said Christiansen, who previously held security leadership roles at Experian, General Motors and Visa. “I’ve even had calls from the chairman of the board wanting briefs. This is a difficult problem to manage because these are your executives… You’re going to be talking to the CEO and your management team, and it’s going be a flow of bad news.”
CISOs and security leaders must therefore communicate that expectations, Christiansen added.
“You’re going have imperfect information going into these briefings,” said Christiansen. “But you’re the leader, you’re the one they’re depending on. You have to have confidence in where you’re at – and even though you don’t have perfect data, you can tell them what you know and what you’re doing; you have to have that confidence that you have it under control.”
And while executives may demand answers, sometimes a lack of news is actually a positive development, and should not be interpreted as a lack of effort, noted Estlick at Chipotle.
“I’ve been through this scenario where the first 48 hours of an incident we didn’t have a lot of news,” recalled Estlick. In this instance, an external report warned that the organization may have suffered a security issues.
“We were meeting with the executive team every few hours, and as I got into the second day they were becoming frustrated by the fact that I didn’t have any news. And I said, ‘Well, actually no news at this point is good news because if I come into this room now with news, it’s only going to be bad.’”
Fortunately, as it turned out, there was no incident after all – which in retrospect explained why there was so little to share.