When Peter Drucker produced his seminal work, “What Makes an Effective Executive,” in the Harvard Business Review (Drucker, June, 2004), he may not have been writing with cybersecurity in mind. In fact, in 2004, the cybersecurity world had only begun to appear as the many-headed beast it’s become since then. Nonetheless, this text is an excellent guide for executives about incident response and breach management.
In the article, Drucker outlines eight critical practices that he’s sourced from successful executives over a sixty-five-year career. As each leader’s style and experience varied, they all consistently demonstrated the following techniques:
- They asked, “What needs to be done?”
- They asked, “What is right for the enterprise?”
- They developed action plans.
- They took responsibility for decisions.
- They took responsibility for communicating.
- They were focused on opportunities rather than problems.
- They ran productive meetings.
- They thought and said “we” rather than “I.”
The first two questions should be primary considerations before beginning to manage a cybersecurity incident. Breaches are stressful, and it’s often easy to get mired in the technical minutiae rather than the goal of recovery. Executives may leap to find an immediate solution, minimize the damage, or assign blame. While all of those may be appropriate steps, they aren’t the top priority. Firstly, it’s crucial to establish a clear picture of what needs to be accomplished while keeping the organization's higher strategic goals in mind.
Preparation for an inevitable breach is surprisingly rare. “According to a survey of 50 executives, Deloitte found that although ransomware and cyber-attacks remain a top concern for executives, 54 percent of the executives surveyed stated that the organization had an incident response plan, but not specifically for a ransomware attack.” (Freedman, 2021)
This speaks to Drucker’s question of “What needs to be done?” Without a plan, most executives will depend on their I.T. teams to either make things up on the fly or search for solutions from a generic third party. Preparing an incident response plan ahead of time will help ensure the weight of the breach doesn’t fall on one set of shoulders. Facing a breach is much more manageable when there are designated resources to guide recovery, perform the work, manage resources, etc.
According to Drucker, “In areas where they are simply incompetent, smart executives don’t make decisions or take actions. They delegate. Everyone has such areas.” Most CEOs specialize in something other than cybersecurity, so they rely on trained incident responders to provide quality advice toward recovery. If an organization doesn’t already have that aid locked down, the exec needs to find that talent in a third party and fast.
The outlook is a little brighter where the second question is concerned. Most executives have a clear picture of the organization's goals, and those goals should drive the overall approach to cybersecurity and inform their incident response plan. For example, if the organization plans to grow through the acquisition of other firms, a heavy focus needs to be placed on cyber due diligence and careful integration planning. Simply adding a newly acquired firm to a larger company network can open hidden back doors in an ordinarily secure organization.
The experts’ third point relates directly to the first – they developed action plans. ProCircular’s team has collectively handled thousands of incidents and outages and learned that those organizations who have prepared ahead of time spend less, recover faster, and minimize the damage. Planning for the worst can be daunting for some businesses, but it’s all too necessary. “Napoleon allegedly said that no successful battle ever followed its plan. Yet Napoleon also planned every one of his battles, far more meticulously than any earlier general had done. “ (Drucker, June, 2004). Without an action plan, the executive becomes a prisoner of events.
Taking responsibility for decisions and communicating are equally important aspects of good incident management. While the CEO is likely not the individual who incorrectly configured the firewall or opened the vulnerability, their leadership ultimately led to the situation at hand. Perhaps it was a budgeting decision, a staffing misstep, or simply the approach taken during the pandemic that opened a vulnerability. Bottom line, the business and leadership own cybersecurity strengths and weaknesses, and at a minimum, the shareholders will hold them responsible.
Although emotions are running high, it’s imperative to avoid assigning blame during the breach, as it will almost certainly distract essential members of the team (read: I.T.) who may be the only people able to stop the bleeding. If they’re afraid for their jobs or made to feel like the blame will fall on their heads, they’ll be distracted from the overarching goal to get back up and running.
The same goes for communication. Keeping lines of communication open, bringing the right people into the conversation, and keeping the discussion productive are priorities set at the top by example. Keeping a cool head, a reasoned approach, and a clear set of goals improves the exchange of information, and ultimately the outcome of the breach.
According to Drucker, effective executives ask, “How can we exploit this change as an opportunity for our enterprise?” (Drucker, June, 2004) While the immediate task at hand may be resolving the breach, the effective executive will see this as a chance to justify organizational changes that will prevent the situation from arising again. If the breach was caused by someone simply clicking a link, there is likely an opportunity to use this well-known event as evidence of a need to train employees and bring them to the organization's defense.
Running productive meetings is critical in an incident and leads to a more rapid resolution. A capable project manager or incident commander is best suited to keep the meeting time to a minimum, keep conversations focused, and keep resources working toward their tasks. The executives should make it clear that the incident commander is doing the play calling and that they have the full support of the management team. Without this approach, conversations can devolve into more blaming, conjecture, and discussion rather than the vital task of getting the firm back on solid footing.
Lastly, the use of “we” is another critical aspect of managing such a potentially damaging situation. Cybersecurity is a team sport and often requires input from individuals with a variety of skills. Even the most skilled incident responder won’t have access to the same resources as the FBI, the knowledge of experienced cybersecurity legal counsel, or the domain knowledge of the I.T. people who built the system in question. It takes all of these perspectives to safely and effectively resolve a cybersecurity breach, and a capable leader recognizes the importance of team cohesion.
While new problems in cybersecurity arise every day, this careful approach to problem-solving has endured. Drucker became involved in computers as early as the ’50s and ‘60s (Davenport, 2007), so he likely couldn’t define Ransomware and probably never experienced a cybersecurity incident firsthand. He did, however, have a deep understanding of management theory, how changes happen within an organization, and the impact that solid management can have on overall success. His insights into this area provide a foundation for creating a cybersecurity incident response program, and his guidance for leadership can save companies from themselves in the event of a breach. By applying Drucker’s eight rules, executives can transform a cyber incident from the worst day of their careers into the beginning of a new chapter in the organization’s future.
Davenport, T. (2007, May 8th). A Conversation with Peter Drucker. CIO Magazine.
Drucker, P. (June, 2004). What Makes an Effective Executive. Harvard Business Review.
Freedman, L. F. (2021, Sept 16). Few Organizations are Actually Prepared for a Ransomware Attack. National Law Review.