IS Decisions logo

Shared lessons, stronger defenses: What CISOs can learn from others' worst days.

Key takeaways for CISOs on building resilient security systems and teams.

Published December 13, 2024
IT security community lessons

In the fast-moving world of cybersecurity, we often chase the latest threats, defenses, and tools. But, as security expert Brian Krebs notes, human factors and organizational issues trigger a breach more often than technical failures. The challenge? Protecting against non-technical failures feels more like an art than a science and you often don't know you have a problem until it's too late.

That's why we gathered insights from Reddit's r/cybersecurity community, drawing wisdom from IT pros who've faced their worst days and lived to tell the tale.

While sharing their stories, we'll highlight common cracks in processes, culture, and decision-making that lead to disaster — and what you can do to prevent them. By learning from others' crises, CISOs can manage risks and strengthen their organization's security posture for 2025's challenges.

Lesson #1 Educate stakeholders

"Management just doesn't care...until an incident like ransomware or a compromise forces them to care."

Cybersecurity isn't just the IT security team's responsibility. It's an organizational must. Yet many CISOs find that business leaders undervalue security measures such as multi-factor authentication (MFA) until it's too late. Effective communication that bridges this gap might be the hardest part of the CISO role.

Framing security risks in terms of business impact, like potential revenue loss or reputational damage, will resonate more with stakeholders.

Pro tip: Schedule regular security briefings for non-technical stakeholders, emphasizing how cybersecurity supports wider business goals like maintaining reputation and customer trust, ensuring operational continuity, and protecting critical data.

Lesson #2: Practice and test crisis response

"Out-break events or similar crisis situations highlight how unprepared organizations are. These types of crisis situations can be practiced beforehand...but other operational tasks seem to always steal priority."

Every CISO knows that a detailed incident response (IR) plan is essential. But simply having a plan isn't enough, you also need to test it. Crisis simulations, tabletop exercises, and red team/blue team drills can expose weaknesses.

Netflix and Facebook run "Chaos Monkey" simulations to measure team reactivity, which pays off during actual incidents.

An incomplete response strategy and muddled authority lines led to the 2017 Equifax data breach, which exposed over 147 million individuals. More recently, the 2020 SolarWinds attack put incident response plans to the test. Organizations that had rehearsed IR scenarios, including coordinating with external vendors and regulators, were better equipped to respond quickly.

Pro tip: Schedule IR drills regularly so they don't get lost in operational priorities. Rotate scenarios to cover a range of threats, from ransomware attacks to insider threats.

Lesson #3: Document everything

"You will never know when you will need meeting notes, an email, or just a casual conversation!"

Good documentation isn't just a best practice, it's a lifeline in the aftermath of a security incident. Whether it's an audit trail, meeting notes, or emails, clear records can protect IT leadership and the organization legally and operationally.

What's more, solid cybersecurity documentation and incident reporting helps organizations understand what happened, and have information on what steps need to happen next.

Pro tip: Invest in centralized tools that automatically log and report on security events like user logon events, making thorough IT forensics easier during audits or investigations.

Lesson #4: Backup and test restorations

"Nobody cares about your backups. They care about the restore. Test that."

Backups are only as good as your ability to restore them. Testing file restores without verifying full system recovery can lead to disastrous surprises.

In the wake of the WannaCry ransomware attack, some organizations discovered the importance of backup hygiene. Many paid ransoms or lost data due to insufficient, faulty, or non-existent backups.

Ensure your disaster recovery (DR) strategy includes simulated catastrophic events, such as bare-metal restores and server rebuilds from scratch. IT security and operations must cooperate to avert mutual annihilation.

Pro tip: Make backup and restore testing a regular part of your DR drills. Verify both file-level and full-system restoration.

Lesson #5: Diversify security vendors

"Never put all your eggs into just one vendor's basket...especially when it comes to cybersecurity."

Vendor consolidation can simplify IT management, but it increases risk if a single provider fails. The 2022 Okta breach highlights how over-reliance on one vendor can expand attack surface and create new vulnerabilities. Diversifying your vendor portfolio will reduce the blast radius of any single point of failure.

This is especially important because the choice of vendor often drives changes in networking, especially in the IAM software space. It's all about how much you want to, or need to control yourself, and how much you're willing and able to let someone else do for you.

Pro tip: Evaluate your vendor ecosystem yearly and maintain a mix of in-house and outsourced capabilities to balance your unique balance of risk and control.

Lesson #6: Improve vendor channel communications

"The hackers have better communications between themselves than the security professionals and the security vendors."

Effective vendor channel communications are critical. A communication gap can delay client awareness and response, exacerbating the damage.

The Mayo Clinic encourages organizations to adopt proactive vendor communication. They require vendors to stick to strict cybersecurity protocols and conduct regular reviews and assessments, ensuring that vulnerabilities in third-party systems don't compromise patient care.

Pro tip: Build strong vendor relationships, and ask them about what plans they have in place to ensure quick responses to incidents. This is, of course, especially important for SaaS vendors who are responsible for safeguarding your critical data on their servers.

Lesson #7: Prioritize mental health to prevent burnout

"We run ourselves ragged because failure is not an option, but...it's fine for the C-suite to fail."

CISOs and cybersecurity professionals operate under relentless pressure. In highly regulated industries, this only intensifies. In a 2023 survey of security and IT leaders responsible for cybersecurity, 62% said they'd experienced burnout at least once, and 44% reported they'd experienced burnout several times.

Burnout raises the risk of mistakes, high turnover, and ultimately, breaches. This makes addressing mental health proactively as critical as patching vulnerabilities.

Dr. Ryan Louie, a psychiatrist specializing in the intersection of cybersecurity and mental health, shared with DarkReading that encouraging open dialogue about mental health within cybersecurity teams can help create an environment that reduces the risk of burnout.

Pro tip: Foster a culture of empathy and work-life balance, starting with leadership. Consider adopting on-call rotations to spread the workload more equally, offer flexible schedules when possible, and allocate resources to prevent overwork.

A CISO's checklist for 2025

As CISOs plan for 2025, learning from the wider IT security community's mistakes is more important than ever.

Here's a quick checklist to help IT leaders prepare:

  • Practice crisis scenarios: Schedule regular IR drills and refine your playbook.

  • Engage stakeholders: Communicate risks and benefits in business terms.

  • Document everything: Keep detailed logs and notes for audit and recovery purposes.

  • Test backups thoroughly: Ensure restoration works under real-world conditions.

  • Diversify vendors: Reduce reliance on single points of failure.

  • Protect mental health: Prioritize team well-being to sustain long-term performance.

By integrating these lessons, CISOs can strengthen their organizations's security posture with resilient systems and teams. And lean into lessons from the wider security community the worst day for one organization can be a wake-up call for others.