The first of three hypothetical scenarios examined by a board as part of the AICD’s Governance Summit this week was a malicious data breach.
The initial response to this ‘breach’ was not a smooth one.
In the first five minutes of the scenario, there was confusion about what to do and who was doing what - a crucial time when the CEO could have been in a much better position to assist the board if he and his executive team had worked through some disciplined breach preparation, including preparing a plan in advance of an actual breach.
If a plan had been prepared, the hypothetical CEO would have been able to say something along the lines of “we have a breach response plan, we know what we are doing, roles and responsibilities have been set, timings have been set, we have activated it.” And while all of this activity is going on, the board can focus on the high level public facing crisis issues.
This scenario reminded me that while there was a rush of interest in preparing for data breach notification in February 2018 and again at the end of May when the GDPR was introduced, many businesses may have not revisited the issue since - or their response readiness.
Dealing with a data breach takes some planning and, to reuse a tried but tested phrase, failing to plan is planning to fail.
In a crisis, you need to be able to simply execute and everyone needs to know their role and responsibility.
The time spent by an executive team, either running a scenario or simply going through the plan and allocating roles, is a few hours well spent and more than recoups itself in the event of a crisis.