The Human Element of Incident Response – Part One
By Vanessa Pegueros
DocuSign Chief Information Security Officer
There is an extraordinary amount of money and time spent on detection and response relative to cybersecurity, and much of this conversation is technology focused. In this series of articles, DocuSign CISO Vanessa Pegueros explores a different aspect of incident response — the human being. She asserts that people ultimately orchestrate incident response and the care and development of employees should be at least as important as the development of technology, and she offers items to consider relative to developing the human elements of incident response.
Part One - Introducing Trauma as a Security Concept
It seems the weekly breach announcement has become as common, yet far less interesting than the latest episode of your favorite Netflix or HBO series. Breaches are no longer exciting news and individuals seem resigned to the fact that they will be getting a new credit card issued to them due to a security issue at least once or twice a year.
I recently began to consider why we seem to accept a level of numbness around this seemingly intractable problem. I was concurrently doing research on trauma and how it impacts humans as well as the techniques to help people recover from their trauma. Numbness happens to be an effect of trauma, which led me to connect two very different worlds: the world of trauma and the impacts of cyberattacks on organizations.
As I began to explore this further, I was amazed at the high level of correlation between what people experience in trauma and what organizations and their employees experience with a cyberattack. The similarities aren’t surprising, though. In the midst of identifying and stopping an attack, we tend to focus on technical remediation, but there can be a real impact to employees as well.
The surprising element of the research was the response of the organization under cyber-attack or in a breach scenario and the behaviors “the organization” exhibited. I uncovered two characteristics of organizational responses: avoidance and reaction. These are both common responses when an individual experiences trauma. When defining how organizations avoid and react to the cyberthreat and breach reality, I propose we consider the 4 D’s: Denial, Damage Control, Defend and Deflect.
Denial manifests itself in various forms, like embracing the “it won’t happen to us” belief or refusing to listen to those employees that warn about impending doom (aka the security team). These types of organizations look negatively upon those who highlight the bad things that could happen. It’s human nature – we don’t like to think about bad things because it invokes fear and anxiety, the entry points of trauma.
Once the bad event actually happens, organizations move to the next phase: damage control. This often involves controlling communications, suppressing information that might further damage the organization, and beginning the process of finding a way out. We often see messages and behaviors that ensure everyone knows it wasn’t their fault (Defend) and suggest someone else to blame (Deflect).
These both damage the organizational response to the situation. Defending often results in individuals or teams refusing to take any accountability and minimizing their role in the situation. Defending can also be very passive, taking the approach of innocent victim in hopes of evoking sympathy. While deflecting, the organization will begin to blame others, involved including suppliers and vendors. The organization may also deflect to poor processes or the wrong organization structure.
At this point, the organization will typically announce the “fall guy.” In the case of a breach or a cyberattack, this is often the CISO or CIO. This reaction is causing more stress and anxiety to security leadership, as they realize they will become a casualty of a broader issue that no one role or leader can solve. In addition to blaming “the person,” the organization may also deflect to poor processes or the wrong organization structure.
There are also real effects to the employees themselves including: numbness, helplessness, burn out, isolation, paranoia, “black and white” approach to decision making, rehashing the event over and over, and obsession with attribution.
When I think about how our industry is dealing with the incident response challenges, I hear a lot about technology and how it will solve our problems. There is no doubt that technology plays a key role in the solution and I will be discussing that in future articles; however, there is an overlooked element here – people.
All of these behaviors and reactions can be explained as we come to better understand how trauma impacts humans. I will cover several topics in future articles including our current approach to incident response and the ways to improve it based on trauma research. In my next article, I intend to introduce the basics of trauma research and impacts to people which is foundational to future articles.