Co-authored by Jason Barnes and John Khotsyphom
Some of us in the security community took a step backward last week in our ability to deal with the crisis involving Okta. Instead of exercising well-thought-out and practiced contingency plans to objectively assess risk, many individuals took a trolling posture on social media. The reaction was neither professional nor conducive to our mission as defenders against threat actors seeking to do us harm. We should take a collective look in the mirror and reconsider our attitudes and reactions when one of our partners endures a crisis even when communications are questionable.
Understandably, leaders and practitioners are under intense pressure any time an Okta, SolarWinds, or Target hits the news. We scramble for answers. As humans, that is our nature. But fixing the blame on Okta via social media based on some screenshots proves some in the community have far more improvements to make than we imagined. Some of us seem to have reverted back to the hope that technology will save us all, ignoring the imperative of critical thought required to effectively defend an enterprise.
Key things to remember about crisis response
In a crisis—whether it pertains to a cyber attack, physical disaster, or supply chain logistics—business leaders must focus on people, organizational reputation, and finances. It is a balancing act between the head and the heart. The Board and C-Suite know their values. They prepare and practice for contingencies. As security practitioners, this understanding is table-stakes. The organization hired us with the assumption that we share these interests.
Top mistakes companies make in a crisis
To illustrate how poorly others in the community might have responded to this situation, let’s recall some fundamental mistakes in crisis communication. When a company in crisis rushes to judgment, its ability to respond accurately is crippled. Over-reaction can raise irrelevant questions. Failing to act and communicate induces uncertainty. Bending facts destroys faith—especially in cybersecurity where evid