#RSAC: How To Deal With a Panicked C-Suite During a Ransomware Event

  • In the immediate wake of a ransomware attack, you can bet that the C-suite is going to panic and demand an immediate fix. Carol Barkes, a conflict resolution consultant, talked about the physiological considerations a CISO should think about when dealing with a panicked C-suite

    Carol Barkes is the best-selling author of NeuroMediation. She is also a conflict resolution consultant. At the RSA Conference 2022 in San Francisco, she shared the stage with Edward Vasko, director of the Institute for Pervasive Cybersecurity at Boise State University.

    Vasko talked through the various stages of C-suite reaction to a ransomware attack, and Barkes shared tips for CISOs on how to handle each of those stages.

    Panic

    “When your SOC calls you on a Friday afternoon to alert you of a ransomware attack, soon followed by a call from your executive team, it’s the worst moment of a CISO’s life. It’s that Jaws moment,” mulled Vasko, who called this first stage “panic.”

    “The first thing you need to do is consider the level of physiological stress the different members of the executive team are dealing with and understand that our bodies react to stress in different ways. Stress shuts off the thinking part of the brain,” explained Barkes. “It helps to soften your voice, make eye contact and make sure they know ‘I’ve got you, we’ve got this.’”

    Overreaction

    Overreaction often follows panic, said Vasko. “The C-suite will inevitably overreact, want an instant fix, an immediate call to action, and will often want anyone involved out the door. At this point, the C-suite is at its most stressed, reacting just to react and willing to do anything for a fast fix.”

    This is where you enter a negotiation phase, said Barkes. “You are negotiating with multiple stakeholders. The most important thing to do here is to join the dots for them, and the more you map out and join the dots, the better chance you have of interrupting the evil plot twists they will no doubt be imagining.

    “Ideally, you will have set the stage in advance. At this point, you need to explain what the plan is to respond to multiple different scenarios.”

    Preparedness

    “When the stress kicks in, you can’t make good decisions because your brain isn’t switched on properly,” explained Barkes. “That’s why it’s important to forecast and practice scenario-planning” ahead of any incident, she said. “Making plans in advance will alleviate the need to make real-time decisions under high stress.”

    “The confidence that comes with well-understood processes gives you preparedness and sets you up to be ready for those conversations with the C-suite [in the event of ransomware],” added Vasko.

    Finger Pointing

    Next, said Barkes, come accusations and, inevitably, defensiveness. “In these moments, people become defensive; they become bad listeners. The remedy of defensiveness is curiosity.” She suggested dropping defensiveness and instead asking questions of the C-suite. “Ask what concerns them most, ask what a fix looks like for them. You need to interview them, dial back your defensive reaction and just listen.”

    She added that when humans are stressed, they typically talk fast, “but we all do better if we slow down. So take a moment to channel your emotions and don’t be reactionary.”

    Vasko talked through the various stages of C-suite reaction to a ransomware attack, and Barkes shared tips for CISOs on how to handle each of those stages.

    Panic

    “When your SOC calls you on a Friday afternoon to alert you of a ransomware attack, soon followed by a call from your executive team, it’s the worst moment of a CISO’s life. It’s that Jaws moment,” mulled Vasko, who called this first stage “panic.”

    “The first thing you need to do is consider the level of physiological stress the different members of the executive team are dealing with and understand that our bodies react to stress in different ways. Stress shuts off the thinking part of the brain,” explained Barkes. “It helps to soften your voice, make eye contact and make sure they know ‘I’ve got you, we’ve got this.’”

    Overreaction

    Overreaction often follows panic, said Vasko. “The C-suite will inevitably overreact, want an instant fix, an immediate call to action, and will often want anyone involved out the door. At this point, the C-suite is at its most stressed, reacting just to react and willing to do anything for a fast fix.”

    This is where you enter a negotiation phase, said Barkes. “You are negotiating with multiple stakeholders. The most important thing to do here is to join the dots for them, and the more you map out and join the dots, the better chance you have of interrupting the evil plot twists they will no doubt be imagining.

    “Ideally, you will have set the stage in advance. At this point, you need to explain what the plan is to respond to multiple different scenarios.”

    Preparedness

    “When the stress kicks in, you can’t make good decisions because your brain isn’t switched on properly,” explained Barkes. “That’s why it’s important to forecast and practice scenario-planning” ahead of any incident, she said. “Making plans in advance will alleviate the need to make real-time decisions under high stress.”

    “The confidence that comes with well-understood processes gives you preparedness and sets you up to be ready for those conversations with the C-suite [in the event of ransomware],” added Vasko.

    Finger Pointing

    Next, said Barkes, come accusations and, inevitably, defensiveness. “In these moments, people become defensive; they become bad listeners. The remedy of defensiveness is curiosity.” She suggested dropping defensiveness and instead asking questions of the C-suite. “Ask what concerns them most, ask what a fix looks like for them. You need to interview them, dial back your defensive reaction and just listen.”

    She added that when humans are stressed, they typically talk fast, “but we all do better if we slow down. So take a moment to channel your emotions and don’t be reactionary.”

    Communication

    The final physiological consideration is the art of communication. Again, in advance, if possible, Barkes recommended learning and practicing those questions to ask in the aftermath of a ransomware attack. Further, she advised that when the C-Suite talks to you, “stop responding with ‘OK’ or ‘sure.’ Instead, summarize what they’ve said and repeat it back to them to acknowledge that you’ve heard them and understood them. It comes back to connecting those dots for them.”

    Communicating regularly and concisely is crucial, said Barkes. She added that communicating those plans and preparedness ahead of any event is even better. “Keep revisiting your plan, connect the dots, and continue to educate your C-suite,” she said in conclusion.

    The final physiological consideration is the art of communication. Again, in advance, if possible, Barkes recommended learning and practicing those questions to ask in the aftermath of a ransomware attack. Further, she advised that when the C-Suite talks to you, “stop responding with ‘OK’ or ‘sure.’ Instead, summarize what they’ve said and repeat it back to them to acknowledge that you’ve heard them and understood them. It comes back to connecting those dots for them.”

    Communicating regularly and concisely is crucial, said Barkes. She added that communicating those plans and preparedness ahead of any event is even better. “Keep revisiting your plan, connect the dots, and continue to educate your C-suite,” she said in conclusion.