The news just kept getting worse. We now know that more than 45 million credit and debit card numbers were stolen in the TJX Companies Inc. data breach. Over the past few months, the scope of the problem seemed to grow with each announcement. The public didn’t learn the (presumably) final toll until late March, when the company filed the figures with the U.S. Securities and Exchange Commission.
Even now, with the news out there, company officials aren’t eager to talk. Calls seeking comment for this story went unreturned. Yet IT executives who have successfully handled data security breaches and other incidents say communication is actually one of the most effective ways to contain a crisis.
“Transparency both inside and outside the organization is very important, and an important role that a CIO can play is communicator,” says Darryl Lemecha, CIO and senior vice president of shared services at ChoicePoint Inc., a data aggregator in Alpharetta, Ga., that suffered a security breach in 2005 and learned firsthand the critical role that honest communication can play.
CIOs are making headlines these days, but not always for the right reasons. Security breaches, crashed Web sites and other public technical snafus create the kinds of crises that put IT leaders front and centre.
Are you prepared?
You’d better be, because how you follow up in the immediate aftermath of a crisis can affect not only how the event is perceived, but also how successfully you’ll avoid trouble in the future. It’s not so much what occurred that matters, says Mike Tainter, IT service management practice director at Forsythe Solutions Group Inc. in Skokie, Ill. It’s “how it was handled and communicated afterward. That’s what really matters,” he says.
As CIO, you can’t leave crisis management to other executives, even if you’re buried in the immediate task of solving the technical problem that precipitated the whole mess. You need to both lead the IT work and play a key role in the business’s efforts to cope with the aftermath. Here’s how: Rely on your plan. This is no time to wing it. “You shouldn’t stand back and scratch your head and say, ‘What should we do?’” Tainter says. Instead, get out your incident response plan and put it into action. As your IT people start running down the technical causes of the crisis, you should start implementing the plan that lays out your business responses, your key contacts, and your public and regulatory obligations.
Work with the right people
“We’re operating in two courts at the same time: the court of public relations and the court of law,” says Joe Brennan, executive director of communication and marketing at Ohio University, which suffered a series of data breaches in 2006. “The CIO has to know that what the organization says and does can expose the company to legal risks.”
To minimize such risks, reach out fast to the nontechnical folks who can help you, says Janice Malaszenko, who has served as CIO and chief technology officer at several Fortune 1,000 companies. Those people include human resources staffers, who can help deal with employee-related issues; public relations people, who might need to field questions from the media; and legal staffers, who will help craft responses to public and legal inquiries.
You also might need the Chief Financial Officer to authorize emergency spending, accountants to track spending for insurance claims, or operations folks to work overtime to make adjustments as IT gets everything back up and running, Brennan says. It’s also important to touch base with executives from your vendor companies, says Dennis Fishback, CIO at Calpine Corp., an energy producer in San Jose. That way, you can reach them quickly if you can’t get what you need through the normal chain of command.
Identify the problem, then dig deeper
The recovery process must include a root-cause analysis, Malaszenko says. So while your IT team is containing the situation to prevent further damage, you and your staff must be analyzing the underlying security problem to prevent it from happening again. That’s just the start, though. “Look around at the environment and ask what other scenarios or situations could happen,” says George McBride, director of IT risk consulting at Aon Consulting Worldwide in Chicago.
If your firewall was breached, for example, look for other vulnerabilities that hackers could exploit. If your server crashed because of a bad patch, check whether other servers are using similar patches. “It’s easy to forget this, because you’re so focused on the problem at hand,” McBride says.
Also, examine why the crisis wasn’t averted in the first place by your early-warning processes and systems.
Communicate with all stakeholders.
After experiencing a technical meltdown, people want answers. It’s your job to help supply them, Lemecha says.
Following ChoicePoint’s 2005 breach, Lemecha made sure that various stakeholders – the board, customers, consumers, the IT organization, all ChoicePoint associates, the news media and regulatory bodies – knew what had happened and what was being done to fix it.
“Initially, I spent time on the phone with various business unit leaders, discussing with customers what actually happened and how the customers’ data and our systems were secure,” says Lemecha, who recalls speaking to one upset customer for two hours.
“He had a large number of misconceptions about ChoicePoint, the incident and the data that we maintained on consumers,” Lemecha says. “At the end of the call, he was so pleased with what ChoicePoint was doing that he sent [CEO Derek Smith] a note congratulating us on our steps.”
Lemecha talked with corporate information officers and their senior staffers and explained the steps IT was taking to protect information, such as the removal and truncation of sensitive data.
He also assisted in the preparation of board presentations and worked with others to create a Web site that offers consumers up-to-the-minute information on privacy efforts.
Eventually, “everybody participated in communicating to customers,” Lemecha says. The business unit general managers coordinated the customer communication efforts, first by calling customers and later by distributing documents that explained ChoicePoint’s privacy and security practices.
“If we were to do it all over again, I would have all these materials in place upfront so that we could have distributed information to the media, regulatory bodies and customers – and posted information on our Web sites simultaneous with any consumer notices,” Lemecha says. “This would reduce the amount of false information that [proliferates] on the Web in times of crisis.” After a crisis, he says, the CIO is uniquely qualified to communicate in virtually every direction. “The CIO is in the best situation to really understand all the technical issues, the business process issues and how they all come together,” Lemecha says. He can “talk up to the executives and talk down to the technologists” about the direction the company is headed, as well as convey information outward to customers.
Connect with affected colleagues.
When hardware problems affected his company’s energy trading operations, Fishback flew from his San Jose office to Houston to meet with his senior management team – a dozen or so officers and directors who are based there.
“It’s important for them to see that