How CISOs can rebuild trust after a security incident – Source: www.csoonline.com

When incident response plans cover the aftermath, they typically focus solely on technical matters, such as root cause analysis or upgrading systems. The problem with this approach is that breaches are not only technical in nature — they can also undermine trust among various internal and external stakeholders of the business.

This loss of trust can be hard to measure, but it manifests concretely. For example, publicly traded companies may lose the enthusiasm of institutional and retail investors. Once popular organizations for tech talent may see their pipeline of applicants dry up. The morale of your cybersecurity team may wane, leading to retention issues and resignations.

In short, CISOs must prioritize rebuilding trust with stakeholders as an equal priority to any technical exercise. After all, no improvement or upgrade matters if stakeholders do not buy into your organization’s overall cybersecurity plan or execution.

Transparency across the incident lifecycle

Christopher Robinson, chief security architect of The Linux Foundation, says transparency is key to rebuilding stakeholder trust. Unfortunately, companies often take the opposite approach.

“A reporter will get word that something happened, and they’ll approach a company, asking, ‘We hear you’re in the middle of a cyber event,’ and [the company representatives will] clam up, and they’ll be very quiet, or they’ll put you [in touch] with the legal team, and they’ll make threats,” he says.

Larry Lidz, vice president of CX Security at Cisco, believes rebuilding stakeholder trust begins during the incident, and it involves two general groups a CISO will need to communicate with: internal stakeholders, such as the C-suite and employees; and external stakeholders, like customers and regulators. “The commonality between the two is [the need for] transparency,” he says.

To this end, Lidz advises CISOs to state what is being done and when stakeholders can expect to hear back with further information.

“That’s a massive improvement in increasing credibility because they know that you’re on it,” Lidz says. “And when you say, ‘I’m going to give you an update tomorrow at noon,’ they know you’re going to get back to them,” even if that update is that forensics is still ongoing.

Grant Bourzikas, CISO of cloud solutions provider Cloudflare, agrees that CISOs should be “overly communicative” throughout the incident lifecycle.

“Proactive and thoughtful communication through times of crisis will only work to further build trust, versus tear it down. You can have the best technical response in the world, but if you don’t communicate it, your brand and business will fall flat,” Bourzikas says.

Maintaining sensitivity in accountability

Cisco’s Lidz emphasizes that transparency does not end at incident resolution.

“Being transparent, internally in particular, by making sure stakeholders understand you and your team have learned from the incident, that there are things you would do better not just in terms of protections, but how you respond and react to incidents” is essential, he says.

Pablo Riboldi, CISO of nearshore talent provider BairesDev, recommends using third-party auditors to strengthen the credibility of these assessments.

“CISOs can bring independent auditors to review the corrective actions implemented and openly share their findings with everyone involved. Showing how we’re taking responsibility and actively looking for ways to improve goes a long way in rebuilding trust and confidence,” he says.

But when conducting post-mortem or root cause analyses, it also important to be sensitive to all parties involved, Linux Foundation’s Robinson says.

“It’s a very delicate balance: There’s an art to telling the truth, and not necessarily being punitive. These are all people that work very hard, giving their all — the operations team, the developers — and you don’t want to crush their spirits,” he says.

Robinson points out that unless a cybersecurity incident originated in malice, most incidents start from business-as-usual problems, such as human error, a security vulnerability in third-party software, or an overlooked backdoor. With this in mind, Robinson says that CISOs can frame the post-mortem positively.

“If somebody messed up, hold people accountable, but you can do that in positive ways, saying, ‘We realized there was a gap in this process, but we’re going to correct that process so it doesn’t happen again,’” he says, adding that soliciting feedback from the group can further demonstrate empathy and rebuild trust.

Robinson says cybersecurity can be a thankless job, and reminding security professionals that leadership understands their struggles goes a long way toward lifting their spirits.

“Leadership showing that they see and value these people in the trenches, the operators — just the recognition that you exist, and your work is valuable — goes much further than three pizzas or Starbucks gift cards,” he says, adding that CISOs can often pay too much attention to the board and fellow leadership rather than their on-the-ground security staff members.

Improving morale in the trenches

Sakshi Grover, senior research manager for IDC Asia, believes employees from the incident response team are often the most overlooked, even though they may bear the brunt of the stress.

“They would be feeling so demoralized after the attack and probably would have been blaming themselves for the breach,” she says.

Grover recommends promoting a growth mindset to mitigate these feelings after an attack by shifting the focus to the team’s problem-solving capability. The business can also offer mental health sessions or even counseling for their well-being, she adds.

Attending to these employees is imperative because they are the primary evangelists for the cybersecurity department. “Word of mouth travels. They are going to then pursue potential employees to come and be a part of this organization,” Grover says.

Esteban Gutierrez, CISO and VP of information security at New Relic, says that during a previous incident, the company ensured its cybersecurity team was attended to so they didn’t experience burnout. Executive assistants helped them with meal delivery and made arrangements so their household chores could be attended to.

“We made sure that they had a way to get those things taken care of while they were helping get the business back into the state that it should be in,” Gutierrez says, adding that this approach should continue after an incident, including time off and deeper examinations of structure and processes to help improve operations and the experience of responding to an incident.

“Are we set up the right way to handle an incident like this going forward? Do we need to build a more global team? Do we need more resources in one geo versus another in order to handle continuity of operations?” Gutierrez says.

Post-incident, cybersecurity employees often return to their bubble, such as monitoring alerts or managing firewalls and cloud security posture. Gutierrez says it’s important to connect the dots between each person’s work and their overall contribution to the organization as a way of ensuring improved morale.

“I make it a key priority for my teams and for my leaders to not just understand what they’re needing to do from a security perspective, but to understand the business and how we are supporting the business,” Gutierrez says, adding that strong relationships with business owners provides even more context to this impact.

Preventing an exodus of customers

When rebuilding trust after a security incident, CISOs should give customers special consideration, as security breaches are often a tipping point, pushing customers to leave an incumbent in favor of a competitor. Equifax in 2017, Capital One in 2019, and T-Mobile in 2021 all experienced a significant exodus of customers in the aftermath of breaches. No matter the industry, people care about how their data is handled and are willing to vote with their business.

Post-incident, Cloudflare’s Bourzikas believes companies should focus on improving relations with and services for current customers rather than seeking out replacement customers in their addressable market when customers defect.

“It is easier to build trust with your engaged customers and shareholders than it is to repair reputational damage with future potential customers,” he says, adding that this task is incredibly challenging in today’s media landscape. “Many times, the headline is all that we read,” Bourzikas says.

That’s why it’s very important for CISOs and their teams to beat media outlets to the punch.

“Being transparent publicly — e.g., releasing a company blog or report — will allow you to share factual and correct information that is not overblown with the community. Don’t shy away from the incident; share your story, and showcase how you recovered, hardened your security, and prepared for the future,” Bourzikas says.

New Relic’s Gutierrez also recommends including key account management of high-revenue customers as part of any incident response plan. Businesses should take inventory of their top 200 customers or more, depending on the nature of their business. These clients will expect to be contacted about an incident, and your organization needs to know the right point of contact for security communications at these companies.

“Oftentimes, the contact at a customer is not always the same person that you want to talk to when you have a security issue that you need to discuss with them,” Guiterrez says. “We’ve made changes internally to make sure that we have a place to track that kind of information whenever we establish a relationship with a customer.”

Regulatory nuances can also shape how this communication is handled, he says. “How we communicate and what we communicate to our EU customers during an incident may differ a little bit from what we do in the US and APAC as well,” Esteban says.

In the event of potential downstream risks to customers, these channels of communication are key. For example, an attack on a software provider may lead to security vulnerabilities at their enterprise clients.

“It’s really just making sure that you’re answering their questions before they ask them and giving them the information they need in order to assess and manage their own risk, because at the end of the day that’s a lot of what customers are asking for,” Guiterrez says. “It’s like, ‘Help me understand how this impacted me and what I need to do in order to mitigate that risk.’”

Two-way street to building trust

James Ngui, sales engineering director at Trend Micro, notes that rebuilding trust after a security incident requires openness to feedback.

“A successful recovery process also actively incorporates stakeholder input by including the key stakeholder in post-incident analysis, gathering feedback on response effectiveness, and also demonstrating how stakeholders’ input will shape the future security strategies of the organization,” he says.

This collaborative approach aligns with the broader perspective on cybersecurity, which values trust as much as technology.

“The key to success lies in recognizing that cybersecurity is not just a technical challenge, but a business-wide responsibility that requires effective communication, clear processes, and engaged leadership at all levels,” Ngui says.