Managing the emotional toll cybersecurity incidents can take on your team

Normalize crises to reduce shocks

Normalizing crises could help reduce the emotional shock of a bad cybersecurity incident. “I got this really good advice from the COO of eBay when I was working there,” Sullivan says. “He said, ‘If your job is to respond to crisis situations, you need to build an organization that views it as their job, not as a crisis.’ In short, if your job is to put out fires, build a fire department. Firefighters wake up every day, and they know what their job is. They don’t stress. They go into high-risk situations, but they’re prepared and trained, work in shifts, and have the right equipment. They’re built to respond to fires. We have to build our security organizations to respond to fires.”

Ian Campbell, security operations engineer at DomainTools, spent 10 years as an emergency response dispatcher. He extends the fire department metaphor to underscore the importance of not allowing team members to bottle up their emotions after an incident. Campbell observed that the police department “was very much, ‘this is what happens, get it done, move on to the next.’”

The fire department, on the other hand, “had structures set up ahead of time that were much healthier for people to process incidents,” with many pre- and post-incident discussions on how the firefighters were feeling, Campbell says. “What I realized throughout ten years is that ‘keep it to yourself’ is a harmful attitude. Setting up programs like [the fire department program] ahead of time is crucial.”