The Power of Collaborative Incident Response
By Judy Titera, Independent Director, Consultant (former Chief Privacy Officer at USAA)
It’s easy to denounce silos and promote collaboration, but how does an organization actually go about enabling communication, compliance, and coordinated action across and between departments?
There are many questions to answer. Which teams and leaders are involved? Who is responsible for what? Where do you start to build a collaborative response program? In my time leading privacy teams and managing data incidents, I’ve learned that what you do before and after a data incident is just as important as what happens during one.
Before the Incident
Effective incident management begins well before an event ever happens. Privacy leaders must recognize that the everyday actions of their teams will directly inform the performance during an incident.
- Document and define your company’s definition of “Material.” What types of situations and impacts would be considered Material to your company? Think beyond the obvious cyber or ransomware attack and consider whether and to what extent employee misconduct, social media mishaps, and/or financial errors would warrant a coordinated incident response.
Assessing and attempting to respond to every minor incident as a material event risks spin, confusion, and burn-out; conversely, failing to fully understand and appreciate potential incident scope or impact can be disastrous. Finding a middle ground can be difficult, but understanding, defining, and documenting your company’s position is critical in today’s regulatory environment.
- Teams must create, document, and communicate the company’s incident response handling and escalation process. Clearly defining and socializing key channels, hand-offs, decisions, and accountabilities will help minimize debate and confusion. It is also critical to understand specific company regulatory requirements and support or develop tools and processes for accurate reporting per requirements.
And most importantly…
- Regular open communications and trusted, ongoing working relationships between teams are required to enable smooth cooperation during critical moments. Notification of a breach or data incident is not the time for Privacy, Security, Risk, and Compliance teams to be meeting for the first time.
Identify early on who specifically will be called upon to serve on the response team—think broadly; potential organizational impacts include financial, legal, reputational, strategic, third-party, and more—and establish regular meetings or working group syncs to strengthen communication channels.
During the Incident
When an incident or potential incident is reported, it is time to activate your response plan and utilize the processes and tools you have developed.
- Engage your team of teams. Previously identified key representatives (or their designated, authorized backups) should meet in the manner prescribed in your process and roadmap, referencing the approved policies and methods to collaborate and respond. Ensure communal understanding of timelines, goals, and deliverables, and allow your appointed incident commander or leader to guide the collective response actions.
After the Incident
Even when the incident is over, there is more work to do to learn, improve, and bolster or restore trust and teamwork.
- Where your team was successful, share and celebrate that success. Spread recognition and appreciation far and wide, and applaud the inter-departmental efforts that led to positive outcomes. Simultaneously, conduct an after-action assessment of if, how, and to what extent the team fell short of expectations. Identify specific causes and effects of gaps, and clearly document and communicate the lessons learned.
- Leverage your lookback to capture insights on communication barriers, impaired processes, flawed assumptions, unknown dependencies, unclear authorities, and more. Use these insights to iterate on the incident response plan and policy to improve future performance. Scenario planning and tabletop exercises will help to pressure test your changes and overall response approach, and will further bolster trusted partnerships across the organization. Evaluate the performance and outcomes of the team after every exercise to identify additional areas of opportunity.
Data incidents necessitate a unified response; silos and infighting during an event only exacerbate the risks and potential impact an organization faces at an uncertain time. Accordingly, enterprise-wide teamwork is critical to respond quickly and effectively. Encourage open and honest communication and feedback among team members and stakeholders throughout the data breach lifecycle, but don’t wait for an incident to get started.