Avoiding a Meltdown: The Management Incident Response Team

How your company handles a data breach can make the difference between survival and extinction.

By James Christiansen

August 01, 2006CSO

Over the past year we have seen many examples of breach notifications ranging up to millions of victims. Looking further into the business impact of the post-breach process we can quickly see that how the organization reacts to a security breach can make the difference between a minor financial impact and a complete corporate meltdown. "A firm's failure to communicate effectively after an emergency strikes can be more destructive than the emergency itself," writes Richard Bierck in Harvard Management Communication Letter.

The real costs in any security breach are the long-term financial impact of lost customers and potential negligence lawsuits—not the immediate remediation costs. Well after the event, you will still experience a productivity reduction due to increased oversight and audits by regulators, clients and business partners. (Recently, one such court-enforced penalty was biennial reviews over a 20-year period.) Whether that additional scrutiny shows an effectively managed organization deserving of the continued trust of your stakeholders is entirely in the hands of top management in the moments following a major emergency. Clearly, establishing good security measures and controls is the first priority. However, in the era of rapidly evolving cyberthreats, even a well-defended organization may suffer a breach at some point. Given that reality, your public reaction to any incident should be meticulously planned in advance.

Establishing a management incident response team (MIRT) is the key. The MIRT is sometimes called the crisis response team. This is very different from the commonly understood cyber incident response team (CIRT). The CIRT is focused on answering such questions as What happened? How did it happen? What damage has been done? And how do we prevent it from happening again? The primary task of the MIRT, on the other hand, is to take the information from the CIRT and begin the process of managing the event from the perspective of the critical stakeholder groups you depend on.

The MIRT is a cross-functional team consisting of the CISO/CSO, chief privacy officer, general counsel, chief compliance officer, business line presidents and public relations (or functional equivalents). The MIRT must first ensure that accurate and complete data is gathered concerning the incident and continue to get reports from the CIRT about necessary remediation. But the MIRT's primary role involves communicating to its stakeholders in a highly targeted manner. The team will determine the appropriate parties that must be notified both under the law and consistent with corporate values, as many organizations will decide to go beyond the legal or contractual requirements to protect the clients and consumers. The ultimate goal of all crisis communication is essentially to uphold long-standing relationships and assure key stakeholder groups that your company understands how the breach impacts them and what you intend to do about it.

RESOURCE CENTER