A Little Calm Goes a Long Way After a Cyber Attack
October 24, 2022
FTI Cybersecurity expert Tracy Wilkison preaches patience (and preparation) to mitigate potential compliance issues before rushing to get back online.
Tracy Wilkison understands the sense of urgency that can run rampant throughout a company when it suffers a cyber attack. As the former U.S. Attorney for the Central District of California, responsible for pursuing intellectual property cases and cases related to computer hacking, internet fraud, and identity theft, Wilkison has been in the room with company leaders as they hurry to contain the damage.
“They want to stop the bleeding immediately and get back online as fast as they can,” says Wilkison, who recently joined FTI Cybersecurity as a Senior Managing Director following more than 20 years with the U.S. Attorney’s Office in California. “But there’s a big difference between acting quickly and acting strategically.”
In the aftermath of an attack, companies often find themselves trying to manage the interrelation between incident response and regulatory compliance. It can be tricky, Wilkison says, especially given business priorities, the patchwork of data security laws and the variety of regulatory bodies. To better grasp this scenario, the FTI Journal asked Wilkison — who led the team that investigated the Sony Pictures Entertainment attack in 2014 — to share her insights.
FTIJ: You’ve sat with company leaders on the next day immediately after a cyber attack. Can you “read the room” for us about how they typically respond?
Wilkison: Well, if they have an excellent cyber readiness plan, and it’s good to go, then they can act quickly and strategically. If not, they can become overwhelmed and a little scattered. It sometimes takes a meeting to say, Okay, let’s take a breath, we need to figure out what your priorities are and make sure all your people are talking together and moving in the same direction.
Funny, I once worked with a company that had a decent readiness plan, but in terms of their [internal] communications, they listed employee names on the plan instead of positions. And when one guy left, it all fell apart.
FTIJ: What should companies be aware of with regard to regulations and compliance?
Wilkison: There are so many regulators and statutes in the game, and a lot of them are competing. It can be overwhelming to try to keep up. Companies need a steady hand to guide them when they are looking at this patchwork and trying to make sure they’re following everything.
Frankly, one reason I joined FTI Consulting is because the model for compliance and cybersecurity ties a variety of groups together to handle different situations. So, if you’re having a cyber breach, for example, you’re going to need folks in the cyber department to help you with response. But you may also need data and analytics experts to go through your network and look for certain items as part of an investigation. You may need strategic communications to help with messaging to stakeholders.
FTIJ: Clearly, a well-crafted cyber readiness plan is critical. Drawing from your days as a U.S. Attorney, is there anything companies might overlook in their response planning?
Wilkison: Yes, the need for collaboration. One thing companies often lack is a translator — someone who is good at talking for and with the tech folks — IT and CISOs [Chief Information Security Officers] — when they start engaging with the [corporate] attorneys [who are concerned with compliance and future litigation]. The tech folks have one goal and focus, and sometimes the attorneys have another and they will have their elbows out. They’re protective. They want to make sure that everything is secure, and they get worried about everything. You can’t blame them — that’s their job.
As a prosecutor, I was able to communicate with the CISOs as well as the attorneys to help them understand their roles in assisting in the investigation. Who was behind the attack? Things like that. There are a lot of elements after an attack that require organizing, and it’s important to be the calm person who has been through this before and can show them the path to resolve the issue.
FTIJ: Can you talk about how your background prepared you for the cybersecurity sector?
Wilkison: Something I’ve learned about cybersecurity in particular is that you don’t necessarily need to have a technology degree or a tech background to learn and be successful. I certainly did not have cyber experience when I joined the cyber section [at the U.S. Attorney’s Office]. I was a history major and a lawyer. There is a lot of room in the field for people with all different kinds of backgrounds, men and women. You just have to be willing to learn and to listen.
FTIJ: Speaking of women, the cybersecurity field has traditionally been male oriented. Do you have any advice on how to attract more women to the field?
Wilkison: Sure. Hire more women in high positions. You know, when I was with the U.S. Attorney’s office, I would often find myself as the only woman in the room with the heads of multiple agencies. Women need to see themselves represented more in the work world. If they can see it, they can envision it. And that’s true not just for women, but for underrepresented communities and all people in general.
It’s also important to find and to be a mentor. As I once heard somebody say, when you get to the top, send the elevator back down and reach out to people who are trying to get up. Find out what they’re interested in, talk to them, support them. What are your career goals? Where would you like to go?
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, Inc., its management, its subsidiaries, its affiliates, or its other professionals.
About The Journal
The FTI Journal publication offers deep and engaging insights to contextualize the issues that matter, and explores topics that will impact the risks your business faces and its reputation.