Leadership during a Crisis
David Moulton: Can you settle the debate? Is it CISO or CEESO? >> I'm going to go with CISO, because information is an E not an EE. [ Music ] Welcome to "Threat Vector," the Palo Alto Networks podcast where we discuss pressing cybersecurity threats and resilience and uncovering sites into the latest industry trends. I'm your host, David Moulton, Director of Thought Leadership. [ Music ] Today, I'm speaking with Christopher Scott, Managing Partner at Unit 42, by Palo Alto Networks. Chris is a global cybersecurity executive, author and crisis management expert. With a career that spans over two decades, he's been at the forefront of some of the most high-profile and impactful security incidents worldwide. At Palo Alto Networks, Chris leads innovation efforts that support CISO's and Board of Directors in handling complex cybersecurity threats. His unique mix of technical expertise, incident response, and leadership skills has guided organizations through destructive attacks like Shamoon, NotPetya, and insider threats. Prior to joining Palo Alto Networks, Chris held leadership roles at IBM, CrowdStrike, and L-3 Communications, helping companies across the globe respond to and remediate serious cyber incidents. Today, we're going to talk about leadership during crisis; how to effectively manage teams, communication, and decision-making in the face of cybersecurity threats and other critical incidents. Here is our conversation: Chris Scott, welcome to "Threat Vector," excited to have you here.
Christopher Scott: Great to be here. I'm excited of upcoming conversation.
David Moulton: Chris, talk to me a little bit about your journey or your career path; what led you to become a leader in cybersecurity crisis management.
Christopher Scott: It all dates back to discovering we had a Chinese spy of defense contractor. He had been there seventeen years and when I watched the FBI and NCIS pull in thirteen cars nose-to-tail and I said enough is enough and I went from being in the IT space to really focusing on security, and that's how my journey started.
David Moulton: That had to be intense.
Christopher Scott: It was intense. I do have to laugh and I have seen like in a great capability increase over time, but I remember the FBI agent showing up with a little Sony VAIO, if you remember the little Purple Sony VIAO? And I was-I'm big into technology and I laughed when he said, "Hey, I'm going to hook this USB drive up to my Sony VIAO and I need a copy of all this data that this person could have potentially had access to." And being the tech guru that I am, I said, "No you're not. That is a USB 1.1 port, and we will be here forever. So, why don't we go to one of these other computers with a much faster port and I love your little purple computer, but it's not going to get the job done today."
David Moulton: Chris, today we're going to talk about leadership during crisis and some of your thoughts on how leaders can effectively manage teams and communication in those high-pressure situations. We've got a lot to talk about, but maybe before we get into our conversation, what tripped up the spy after seventeen years? Can you tell the audience that?
Christopher Scott: The FBI actually was able to pick up, I believe, some kind of communications or from another case that led to this process. And then they were able to surveil and work with our internal security team to figure those things out. But from a computer standpoint, no mistakes were made internally on the computer, there was no signs of malicious activity, there was no installation of malware of any kind. The IT and security systems were actually very strong, it just came down to this was a-this was a person who was there to steal things and that's what they did.
David Moulton: Chris, you had this extensive career working on everything from destructive malware to advising boards of directors; can you share how your experiences from your early days at L-3 Communications to your current leadership role here in Unit 42, have shaped your philosophy on leadership with especially during crisis?
Christopher Scott: Well, I have a unique background where I started off bottom of the totem pole PC tech. I always like to say it's back when the metal cases of the computers would cut your fingers, because they didn't think to like smooth them out and building computers for that process. But it gave a unique understanding of the operations of IT and the way that a business functions just in the day-to-day process, and that has led to, I think, a greater understanding during a crisis when you're trying to recover, when you're trying to determine what the priorities are to bring a system back online, is that understanding of operations is immensely beneficial to the security and the recovery side. And when it comes to that from an organizational standpoint, like leaders need to be able to identify who the people are within their organization that have not only the operation skill, but the knowledge of the security of the threat, and it's that mix there that provides for the greatest crisis of recovery options and I found that my experience from that side has been hugely beneficial with mitric crisis.
David Moulton: It seems to me that that comes with experience, sort of at bats where you've been in those situations, how do you see yourself as different now than maybe midcareer and early career in the way that you approach a crisis? Is it the heart rate doesn't go up as much? Is it?
Christopher Scott: I think the heart rate always accelerates. It's really hard when you're thinking about a business; businesses are shutdown, people aren't working, manufacturing isn't getting things out the door and, depending on the criticality of that business and how it is effects society whether it's local or regionally or even across the world, an example of with the Merstad is like that was a worldwide impact. Your heart rate is always going to go up, but I think over time you start to realize which systems are important quicker. So, when you have differing views of businesses, because as our world-as businesses have expanded and become bigger, we have more people who have an opinion on what is most important, because they're the leader of different areas of their business and that experience lets us understand, "I understand what you're importance is, but the overall importance for the business from these at bats with crisis, helps us solidify what is the correct order to recover, which accelerates, you know, business operations coming back in place and relaxing of the board and relaxing of the executives, because they understand you know what is going on.
David Moulton: So, given some of that deep experience with the high-profile cybersecurity incidents, what are the most critical qualities that the other leaders need to have when managing a crisis especially in and around cybersecurity?
Christopher Scott: The first place I like to focus is what I call "stabilization." You have a crisis that starts and you need to stabilize the business. You need to stabilize the system to get them to a place where you have at least control of an area. How do we isolate the attacker to a specific location? How do we make sure that they can't migrate between understand what's going on? And the interesting thing about that aspect, it's almost like a dictatorship in that scenario, because there isn't a lot of time for a consensus or opinionated for discussion, because you're under active attack. And so, that's where being able to show not only the leadership to be able to make those quick decisions in the process, but also being able to get people to understand your expertise quickly makes that flow really fast, you can isolate and control. And a lot of people start to become paralyzed and I don't know what to do. But they have to remember that not making the decision is a decision. And so, if you haven't made a decision, the attacker is going to continually beat on you. So, that was your decision. Your decision was "no decision." So, make the best decision you can with the limited information that you have, because the information that you're getting it's not going to be there immediately. It's going to take time to understand, but make that-make the call and understand it. And most important, take a step back from the technical and think about what's actually going on. The number one priority will always be human life. So, if you have someone stuck in an elevator, it's not about the ransomware that's controlling the system that controls the elevator, it's about getting the person out of the elevator. That [multiple speakers].
David Moulton: Absolutely. Yeah.
Christopher Scott: So, call 9-1-1, call the fire department, get that process started then go back to focusing on, "Okay, what is the next step I do from a technical standpoint?" [ Music ]
David Moulton: How do you handle the balance between being decisive under pressure and making sure that your making those informed decisions in the heat of a crisis knowing that there is a limited amount of information that can be available to you, but that you do need some data, you do need some input?
Christopher Scott: That's outside of stabilization, when you start to get into how we organize the response, how do we organize our next steps; that's where you pull in the expertise. There is always someone in the organization that understands the network architecture; the understands the operation of the systems; that knows the order of things that are most important. It's then empowering that person to give you advice, to help guide that into the decision process. Saying, "Well, this is the situation. We may not have all the information, but if I had to bring up DNS in the domain controller and DHCP in this crazy world, where would be the best place to do it in your environment?" Someone knows that. And it's like, that's the when you start moving away from dictatorship and you start moving into how do we partner and collaborate to now rebuild; you will find those people. Sometimes you have to reach out and you have to ask the question to kind of pull them in to the conversation, but if you encourage them to speak, if you don't berate like a mistake, because we just have to acknowledge mistakes are going to happen. We're making these choices without all the information. What information do you have to have to make the best decision and encourage that and then move forward with it? And then, never look back at this point. During crisis recovery, during crisis response, that is not the time for the hogwash to look back on whether the decision could have been better or worse, or what was the right data if we had it? We do that at the end after we have recovered and we continually move forward with decisions based on the information we have at the time and never think about looking back.
David Moulton: So, let follow-up on that. How do you manage the external pressure from like media or stakeholders that aren't in that decision-making room, they're not necessarily responsible for those decisions, but they're demanding information, they want to know what's going on?
Christopher Scott: Typically, what organizations have done especially if they've practiced response processes, is they have what is known as holding statements, because they need to release some type of information externally, but you're responding at a point when you don't have the details. And so, this is this hard place where news organizations, they want to know what's going on and customers are calling in and they want to know what's going on, but you don't want to give them wrong information, because wrong information actually, I think, is worse than no information. So, how do I give them to understand "I know that we've been attacked? I know that we have a problem and we're resolving that." Almost like the status pages that you get when you talk about staff services. They tell you that they know there's a problem and that they're working on the problem and this is when the next update will be. I feel like that is a great way to approach crisis, because that's-it's the same impact, whether you're with an outage for a system that you're providing or you have an outage because of a crisis; customers just want to know that one, you know that something's wrong and that you're working on it. So, if you can give them that amount of information and they say "As more details become available, we will provide what we can." Very important though in there, is working with your external and internal counsel so that you can have a conversation about what we're saying, "Do you have external media that's going to like media preparatory systems or people that help you with that media language? So, that you're having a good conversation, that you're looking for the ways that people may take the language as it is written. So, making sure coordinating all the way across is important.
David Moulton: Chris, I think this is going to be a tough one, but how much better are the teams that you have been with that have practiced versus those that don't, and like how would you assess that or measure that impact of practicing when it's not a hot event?
Christopher Scott: I think what you'll find is that people that practice understand the media peaks from external media, they understand that they're not going to have all the information. And so, when those types of things happen, even though it may have been a scheduled event that they participate in and it wasn't unexpected, they're used to missing information, they're used to hard requests, they're used to, you know, pressure from maybe an executive in the process. And so, those types of things don't disrupt their response. If you've never practiced even the simple, the news organization showed up outside. Well, as we said earlier, that's going to increase your heart rate, that's going to make you more nervous, that's going to do all kinds of things because you've never thought about that. And just the thinking through the process, even if it's a paper-based exercise or more a more immersive-based exercise, I think really helps relax those known things, because they are-they're going to happen and they don't feel as unexpected for those that have practiced.
David Moulton: Chris, you've led a number of significant responses to attacks like Shamoon and NotPetya, what are the key differences in leading during a major public-facing cyber crisis versus maybe something that's more contained or an internal incident?
Christopher Scott: Always an interesting question about external known attacks where people are destroying something that people are aware of versus an organization that has been attacked and maybe no one is aware of. I think the most important thing to first realize is that to the people readily in the incident, the pressure if they recover, the pressure to understand what happened, that doesn't change. And so, the crisis response side of that is still very, very harbored and it has that same level of, you know, concern. The other thing I would say that and maybe it, it's not something people have thought about, but when it's public, it's public and everyone knows and you know that everyone knows; when it's private, you're wondering when it's going to become public. So, when is an employee going to take a screenshot of ransomware and post it to their Instagram? When is a customer going to post "Why can't I get into" such and such someone's going to respond, "Oh, I've heard they had a breach of data," and then your phones are going to get flooded with calls about people who want to know. The more I think through this whole process, I think the ones that aren't public could actually be more stressful, because you are so focused on recovery and the "How do I get everything in a line before it becomes known, so that I can answer the questions when does happen?" I also think over time that, you know, there's a lot more disclosure requirements now, and so you're gathering all this information, you're trying to meet deadlines that have come from different organizational bodies and things like that. That adds additional stress, because now it's not just about the recovery side in both cases, it's also about "Okay, well how long do I have to report this? And when is it required?" And you're seeing a lot more legal involvement in both cases. But then back-so just back to the piece, I think it's actually more stressful when it's an unknown attack, because you're just waiting for the public to find out. [ Music ]
David Moulton: You mentioned the regulatory side and the reporting side; given the regulations and the compliance issues and the general chaos of an incident, what is the role of documented procedures in a crisis situation like this and how do you make sure that everyone knows what they're actually supposed to do?
Christopher Scott: This is going to come back to that practice side of things again; the "Have you done the tabletop? Have you done the immersive?" Because when it comes to documented procedures, and I remember conducting a tabletop with a large financial institution, and we walked into the room and I said, "Who has a copy of their Incident Response Plan?" And they said, "Oh, no it's on the-it's on the SharePoint Server." And I said, "Oh, the SharePoint Server that just got encrypted?" Now your four-hundred page digital Response Plan with all of your instructions, your contact information, your processes to recover, it's gone." You don't have it. You only had it in one place because you didn't want to have the wrong version, because you want to have all this control, but in a crisis you don't have that. You don't know what's going to be down. You don't what you're going to be missing. So, document it again and you need to do and you need to practice, but you have to make sure that you have multiple copies of it. You have to make sure that the people who are doing the response can do it without the documentation in case it's been destroyed or it's been locked up or the building has been flooded so the physical location of the document is even assessable. Because it's like, crisis is not just cyber. Crisis is anything that could impact the operations of your IT organization. So, focus on practice. Focus on finding the people who are comfortable in a crisis and making the correct decision or the best decision possible; because there are times you're just going to have all those documentations.
David Moulton: Yeah, I remember listening to CISO talk about one of the first things they did, was make sure that everyone on the executive team and the security team had each other's phone numbers in their phone, because you couldn't go to whatever system you were using and count on that being available; you couldn't go to Slack and message them, or you couldn't go into your contacts whatever that looks like for you, your email and look them up. And it was the most basic thing, especially in a distributed team just to be able to run communications.
Christopher Scott: When I was a defense contractor, we setup in our business continuity process and went through that same thing, and back then it was just simpler to create a wallet sized laminated card that had the name and home's, mobile, and pager at the time, of every person that we would need to contact and we all carried that in our wallet, and there was a couple of times where that information allowed us to make a better decision faster to help us resolve a crisis.
David Moulton: You're talking about this idea of clear communication as being critical during these crises, what strategies do you recommend for maintaining those open effective communications within your crisis team, within those external stakeholders, especially when you think about boards internally and the media externally?
Christopher Scott: So, let's start on the internal team thought process when it comes to communication. Crisis involves a lot of collaboration, a lot of communication. It used to be that you could have one person or two people that could rebuild an environment because they knew all the pieces, but we moved away from having, you know, one person who knew everything. We always called it the "The single point of failures." So, if that person was gone, we can't do anything because they know all of the pieces. I think we have taken that a little bit to the extreme now, because now to have enough people and knowledge in the room, I have to have the person who understands the Windows server, but I also have to have the network person, but the network person doesn't necessarily understand the firewall, and the firewall person doesn't understand VLANs and other aspects. And so, you start to gather the SQL person, the person who understands the web frontend. And so, it gets crazy because you have to put all of these people in the room and get them all on the same page to recover one application. Where, previously, you would have one or two people who always worked together who could make that happen. So, with that, communication is key. But then there's also the drawback of disagreeing among that team. And so, what we have found is when you're in the middle of a crisis, you need to establish a clear guide that says, you know, debate is allowed up until the point that the decision is made. And once the decision has been made, there is no more debate; we're in a crisis, the decision has been made, follow through on that work and if you have people who want to continue to debate after the decision has been made and you are in crisis, you need to replace the person. You need to find someone else who could achieve the goals of what are their responsibilities, because that additional debate is going to cause chaos within the team, it's going to cause a slowdown of the recovery, and all of those things will actually affect your communication to the board and externally, because you're not going to be hitting the expected timeframes that you had laid out, because the team isn't following through after the decision has been made.
David Moulton: And Chris, I want to switch gears a little bit and talk about innovation. At Unit 42 you lead innovation efforts targeted at solving some of the most complex problems for CISOs and boards, how do you encourage innovation in crisis leadership especially at the fast-paced unpredictable environments that you're operating in?
Christopher Scott: I find today that innovation comes down to data to be analyzed. Like, the more data you have and the more-and the quicker analysis that you can do, the better your decision during a crisis can be. So, when you think about the ability these days of understanding every process that executes on how much time it takes to the amount of memory it takes, the files they are accessing; that whole space of data of how a computer works is powerful, because you can then say, "Well, these hosts are operating normally. These hosts are suspicious." Now in the middle of a crisis by doing that analysis faster, I can narrow down the areas where the threat actor is sitting in the environment. I could make a decision to isolate and control those areas quicker which limits their impact. Now, of course, they are also accelerating their speed, right? We see in their timeframes the exfiltration in reducing significantly as well, and so this is why we need to do this. We need more data, faster analysis, quicker decisions, and I would also say automated decisions. And one of the greatest examples I think is when we talk about credential theft. Credential theft is one of the core things that you should not see on an endpoint. So, I don't care how you're looking for credential theft, but if you get a credential theft, the automation should be already built that says, "Credential theft happened. Isolate the account whose credential was stolen; isolate the endpoint where it happened; and isolate the account that was used to take the credential." That should just be built-in as an automation non-decision process, because there shouldn't be a credential theft that's legitimate within your organization. And I believe that if you build automations around things that should never happen, that is a great way to shut an attack down early, to respond faster, and as that time based on data that gets us to a much better response.
David Moulton: What are some of the next generation technologies that you're particularly excited about as somebody who's advising and talking to CISOs and boards?
Christopher Scott: Well, when we think about the data, first you have to able to collect the data. So, now you're talking XDR, you know, EDR has evolved into XDR style of capabilities. That is the first level I think of things you need. And the today's XDR capabilities go across pretty much any platform you can think about, which is powerful to think of all the different ways we run in Cloud, we run on prem, we run different endpoints. The fact that we can get an agent to gather the security data is powerful. So, first you have to be able to have the information to make the decision. Second, it's this ability now to think about the SIM is a place where you can gather such an immense amount of information that you can correlate and understand what has happened. And that correlation to pull from other systems, to know that this account ties to this user, that ties to these actions across the SAS platform that ties to actions across an internal platform. That capability gives responders much more knowledge about what is going on in the environment and helps them understand the concerns so they can make a better decision. Then you can encourage people to create playbooks within SOAR platforms; how do you create that opportunity for them to accelerate response and encourage them to do that? So, have them working, you know, a set amount of time on looking at data and responding, but also a set amount of time thinking about, "How do I automate parts of my job so that I can go look for other ways to automate?" And if you encourage that you end up with this response process that's even faster and more powerful. And then one other thing that I think is immensely important is empowering your security people to make a decision, but also giving them the time to make that decision. Security people sometimes need that ability to think through what they're actually looking at, because the worse-case scenario for me and I have run into many incidents this way, is that a security person saw an event, they weren't given the time to think about the event, they weren't sure what it was, but if they didn't close it they were going to get dinged on their KPI report because it was open too long. So, what do they do? They closed it. They say, "False-positive" or "Not a threat," but when we come back and we look at it later after the incident that was the initial entry point of the attacker.
David Moulton: Yeah, the incentives are wrong now.
Christopher Scott: The incentive is wrong. So, it's okay to ask questions. It's okay to collaborate. It's like, think about creating security KPIs top help drive the results we're looking for.
David Moulton: Do you have any advice for leaders that have global teams managing across boundaries and borders?
Christopher Scott: When you think globally and you have a global organization, incidents run 24/7, and whether you are all in one location or that you are globally, how do you make sure that you empower each area to do the work and make sure that you have the appropriate handoffs and the trust within those spaces? If you have a global organization but you primarily run the incident from the U.S. and you burnout your U.S. people quickly, then the tail of that incident could become very painful, you could miss things. So, not only making sure that you do the handoff, but make sure you practice the handoff; make sure that you let the people who may be in India doing one thing or in Australia doing one thing, that they're able to do the different pieces of that recovery job or that crisis management so that you know when that time happens, that you have the resources in place to run 24/7 to recover quicker.
David Moulton: So, once a crisis has been resolved, the leadership work isn't over, what does effective post-crisis leadership look like in terms of recovering, rebuilding trust, and you know preparing for that next potential incident?
Christopher Scott: Post-crisis, there is a few things to think through. One, I think that the CISO is thinking about the relationship with the board, like how do I make sure that the board trusts what decisions were made, trusts the go forward plan into the future? I find that that comes down with a lot of partnership with the external security consulting or because boards like to look towards external experts from a crisis to say, "Okay, what did we do wrong? What did we do well? And what is our plan for the future so that we don't have this experience again?" Internally, I find that CISOs that run an effective hogwash, like let's look back to the decisions that were made. Let's look back at the things that we did well. Let's look back at the thing that we didn't do well and we can improve upon. But it's not a time for blame on the decisions, because decisions were made in a vacuum, decisions were made with lack of data. They would have made a better decision if they would have had more information. It's the-that's the decision, it was a good decision based upon the data. How do I get you more data? What do you need to make a better decision next time? I mean, if we focus on how do we make a better decision; how do we get more data; how do we get more, you know, analysis of this information to give it to correlate better, that would be the way that I would approach it, because then people come into that going, "I love my leader. I trust my leader. And I will be willing to work 24/7 when there's a crisis, because I know that my leader is going to help make me better next time."
David Moulton: Yeah. It's amazing what actual leadership looks like to somebody wanting to stick around, especially when they're in the hot zone. Chris, I ask very guest that come on here, what's the most important thing that they should take away from today's conversation?
Christopher Scott: No decision is a decision, and enable your people to make decisions in a crisis. [ Music ]
David Moulton: Chris, thanks for the great conversation today. I appreciate you sharing your insights on leadership especially during a crisis, and talking about how organizations can effectively navigate through a cybersecurity incident.
Christopher Scott: Thanks. I really appreciate the time and I hope that people find value in the conversation.
David Moulton: That's it for today. If you like what you heard, please subscribe wherever you listen and leave us a review on Apple Podcast or Spotify. Your reviews and feedback really do help us understand what you want to hear about. If you want to reach out to me directly, my email for the show is threatvector@paloaltonetworks. com. I want to thank our executive producer, Michael Heller, our content and production teams which include Kenne Miller, Joe Bettencourt, and Virginia Tran. Elliott Peltzman edits the show and mixes the audio. We'll be back next week. Until then, stay secure, stay vigilant. Goodbye for now. [ Music ]