RSAC 2024: Data breach survivors discuss lessons learned

May 06, 2024 - SAN FRANCISCO, Calif. – At RSAC 2024, there is no shortage of experts who have experienced data breaches and emerged with lessons learned. At a Monday morning session, experts from Equifax, Google Cloud, and law firm Paul, Weiss discussed best practices for responding to data breaches based on their firsthand experiences.

The best practices largely focused on communication and tabletop exercises, two essential components of breach response that are often underutilized.

Russell Ayres, SVP of cyber operations and deputy chief information security officer (CISO) at Equifax, stressed the importance of maintaining open lines of communication during the aftermath of a breach, both internally and externally.

“People are your most important asset, so keep them in the loop,” Ayres said. Equifax suffered a data breach in 2017 that exposed the personal information of more than 147 million individuals, requiring a large-scale response.

“It all comes down to communication,” added Tim Crothers, CISO at Mandiant, Google Cloud, who responded to LockBit’s false claims that it breached Mandiant in 2022.

“Everybody is trying to assess whether you have things in control,” Crothers added. “Whether it's regulators, customers, or partner organizations, all of them are trying to make a judgment call – are we on top of it? Do we know what’s going on?”

Crothers suggested that the biggest contributor to that public perception is a solid communications plan, especially one that accounts for all contingencies.

In addition to locking down a communications plan, the panelists emphasized the importance of tabletop exercises that include the CEO, CFO, and other key stakeholders who will need to lean on their security teams in the event of a breach.

“By going through these exercises, they get to see you in a simulated crisis which allows them to trust you more and lean on you more,” Crothers said.

John Carlin, partner at Paul, Weiss, emphasized the importance of structuring these tabletop exercises in a way that effectively communicates risk to the C-suite, while being sensitive to the fact that you may not have all the information you need as a breach is actively unfolding.

“You have to be able to make critical decisions in that area of uncertainty,” Carlin explained.

Carlin also advised that CISOs communicate risk effectively before a security incident, ensuring that they vocalize how their systems work and how risk is quantified in advance of a breach. Executives will feel more comfortable making key decisions in the moment if tabletop exercises were completed prior to the incident.

The panelists all agreed that when an incident plan fails, it is typically due to a lapse in communication or a lack of preparedness, both of which can be tackled proactively in advance of a security incident.