by Martin Fisher

As we looked at the first two of the three Basic Truths of Incident Response Leadership (“Assume You Will Fail” and “Have A Workable Plan”), we focused on activities that the Incident Response Leader does with the incident response team being led.  The final truth involves the other direction on the organizational chart…

Basic Truth #3: Communicate Your New Posture To Your Boss

Once you’ve changed your mindset about getting compromised, and you’ve reviewed, tested, and (hopefully) exercised your plans, you are going to enter what is, for some people, the most challenging Basic Truth – explaining what you’re doing to your boss.

Now, to be honest, you should be regularly talking with your boss.  Organizations rely on middle level managers to have frank, open, and honest discussions with more senior leaders so that the organization’s efforts are aligned with the overall direction of the business.  The role of the Incident Response Leader is to not only train “down” the organizational chain but to educate “up” the chain as well.  The best way to do this is through regular conversations.

The potentially tricky issue is that you may have to “un-do” years of senior leader assumptions about the incident response approach of the organization.  As difficult as you may have found it to “Assume You Will Fail”, your boss – who is probably much less directly connected to the daily realities of incident response – is going to potentially be much more resistant to change that assumes that problems will occur.  Hopefully you’ve been hinting, nudging, guiding, and educating your boss during this process, and this will not come as a surprise (because as a general rule, surprises to your boss are a bad thing).

As you educate your boss, you may need to back up and re-teach some of the the basics of information security and risk management.  Your boss may need some catch-up on risk management and analysis.  If so, you’re in luck because there will be that much less to un-learn.  Over several meetings, take the time to ensure that your boss understands the “why” of what you’re doing before you start into the “how” of what you’re doing.  Take the time to demonstrate to your boss that you not only understand the business of Incident Response, but that you understand the business of the organization and your role in it.

Take the time to talk through the benefits of “Assuming You Will Fail” by pointing out that the organization cannot afford “perfect” security, but can afford a quality incident response team to respond to and mitigate any issues.  Through discussion you can reframe, redefine, and provide your team with realistic goals and objectives that senior leadership understands and will buy into.

This conversation sets you up for the key discussion – formalizing the performance expectations of you and your team; setting up and documenting exactly what you will do and how you will be measured; and how (most importantly) the organization will define your and your team’s success.  If you do this well, you will have turned what previously would have be considered a failure into what is a significant win for the organization, your team, and you.

Accepting and acting on the Three Basic Truths of Incident Response Leadership will enable you to better serve your organization, your team, and yourself.  I’d love to hear from other IR leaders to see how this works for you.

No related posts.