On today’s episode, David Damato, the CISO at Gemini Trust Company, joins us to speak about what occurs within organizations during and after a breach—and what should happen for the best outcome. He emphasizes communication, confidence, and clarity.
David’s Journey
David works for Gemini, one of the few regulated crypto currency exchanges out there. It is regulated by the New York Department of Financial Services, along with other entities. They must demonstrate that they’re a legitimate organization, as the field as a whole has had a lot of problems. They prioritize building trust, and David believes the industry is evolving to a more mature state.
Before Gemini, he spent about 10-15 years working at scrappy, small organizations. He had a lot of fun helping them grow into larger institutions and sharpened his expertise.
The Planning
David has aided over 100 organizations directly during a crisis, and indirectly has helped a couple hundred. In working with many institutions, he has found that the best outcomes occur when the company executes on the practice and the planning they had done prior to the breach in an organized manner. Planning starts way before a breach and is structured around the architecture, logging system, data and if the team engages in mental exercises.
David also explains that the size of the organization affects the outcome, as well as security’s status within the institution, and the two type of panic that rise: panic that people will find out or panic over the safety of the customers’ and their data. How David is often viewed, either has help or a hindrance, reveals the priorities of the leaders. An organization can either be grateful for his team exposing flaws so that they could fix them, or they try to hide mistakes. Listen to the episode to hear more examples of behavior that influence the crisis management.
Branding and Communication
Next, David speaks on communicating both internally and externally about the breach. An effective security team communicates with the rest of the institution about the importance of the job. If you can advertise to the right people about the threat and what you can do, you can receive more funding. If not, you might struggle to solidify your place in the institution.
David also points to the branding of the company as having an impact on how the breach is viewed or manage. He gives Google as an example. They have great trust in them and they participate on boards and at events. When there was a breach, they talked about it and talked about it in the right way. People already liked the business and the brand before the breach occurred, so they were more forgiving when it did. All of these factors helped the breach be better received.
Additionally, the figurehead of managing that breach is also important. David finds that non-technical executives need training so they can know what to say when a breach happens. Without this training, executives can sometimes misspeak out of lack of knowledge, or overshare without realizing this could worsen the threat. He emphasizes training and practice.
During and after a breach, how an organization communicates to the public is key. Therefore, those points of contact must be taken seriously: from phone calls, to interviews, to the letter. As an example, David and Steve run through a practice interview. Listen to the episode to hear what David presents as a solid response, an incompetent one, and the difference between the two.
David iterates on how institutions should have relationships with reporters who they trust and like. When these relationships are established, the news can be reported accurately by someone who understands cybersecurity. Additionally, they organization needs someone who understands what information should be public and what shouldn’t, for the safety of everyone involved.
Evolving Controls
David touches on how many institutions need to catch up with the evolving controls. Even not vendor specific systems, like the two-factor authentication, should be standard practice by now. Small, but important practices such as these can mitigate the risk of a large-scale breach.
David states that most large companies still have outdated cyber security systems, as they’ve grown out of their old systems. They need a complete revamp of their methods and technologies. When you have this older system, it forces the security team to tackle an array of low scale attacks as opposed to focusing on more advanced, dangerous threats.
Remediation Event
When a breach occurs, it can reveal an advance that has been infiltrating a system for some time, even for years. When they’ve been in a system for that long, you have to assume that the attacker has affected everything. This warrants a remediation event, in which you have enterprise-wide password resets, new set of controls, and the whole platform is taken off the internet. This occurs all within 48 hours.
Now that many businesses are on the Cloud, David discusses how this process has changed.
When a Breach Ends
David examines how we know when a breach has ended. He believes that it will take 2-4 years for the company to completely return to normal. For the first year, the team must manage the crisis. The second year is spent instrumenting new systems and getting used to them. However,
the memory will last as long as litigation is involved.
The New CISO
Each organization has a different idea of what a CISO is, however David provides a key trait. He states that the new CISO should be able to help enable the business while mitigating risk.
Links: