What Equifax Can Learn From the Military About Surviving a Data Breach

Equifax heads to Capitol Hill this week, where former CEO Richard Smith will testify and detail the company’s missteps in response to the massive data breach that exposed as many as 143 million people.

That Equifax’s poor crisis response made an already bad situation worse cannot be denied. But the bigger lesson for Equifax – and the dozens of government organizations and companies who have faced similar security breaches in recent months – is that to a large extent, their future has already been determined by how prepared (or rather, unprepared) they were before the crisis occurred.

As CEOs, there is no doubt that the ability to act decisively, communicate clearly, and keep teams focused is critical to leading successfully in and through a crisis. But even more critical to how CEOs respond in crisis is how they have “made ready” the organization long beforehand.

The concept of “readiness” is not used widely in the business world, but it is ingrained in our military services. And business leaders can learn a great deal from the military about preparing for both foreseeable and unforeseeable crises.

“critical to how CEOs respond in crisis is how they have ‘made ready’ the organization long beforehand.”

Measuring and improving military readiness has been refined to a science. In fact, being ready is one of two things that our military forces do on an ongoing basis. They are either doing their mission, or they are preparing to do their mission. That mission could be anything from warfare to disaster relief, but in most cases, it involves some sort of a crisis.

To be prepared ahead of time, the military does deliberate planning to ensure they have the people and resources needed to execute assigned missions. The ability to “be ready” for a specific mission, or provide a specific capability when needed is the driver behind both near-term and long-term resource allocation decisions, as our forces must be concerned with both “current” and “future” readiness.

What does military readiness have to do with Equifax and leading in crises? The bottom line is this: if we as leaders don’t think deliberately about real risks in our environment, and take reasonable measures to be ready should those risks occur, then it is unlikely we’ll be ready to lead the organization through the most catastrophic of those scenarios. Asking and answering some key questions can help raise your level of readiness to respond to an Equifax-like crisis.

What are the risks to our company? How likely are they to occur? If they do, what would the impact be? We may choose to assume a risk and mitigate it if the probability of occurrence is extremely low, or the impact is minimal. Our military forces incorporate threat analysis in their planning. When it comes to cyber-attacks, each organization should assess threats and risks for themselves, but one need not look far to see that the likelihood of occurrence is high, and the business impact for many companies can be catastrophic.

Are we aligned to effectively respond to a crisis? Do we have the right organization and processes in place? In many cases, crisis response requires a shift in alignment, priorities and thinking. That shift should be pre-planned. For example, in response to a catastrophic earthquake, the Navy redirected resources to support disaster relief efforts. This required temporarily redeploying ships, forces, and communications infrastructure. At multiple levels of command, operations “cells” or teams were established to focus on specific areas of concern, such as communications, logistics, and people. At the center of this crisis response structure was a current operations cell, tasked with coordinating across the other teams through communications and reporting, and thus to ensure that common “situational awareness” was maintained by all. In other words, keeping everyone on the same page.
For non-military scenarios, the structure of the teams would vary depending on the organization and the crisis, but the construct is relevant. In responding to a corporate cyber-attack like the one Equifax experienced, cells might consist of a damage assessment team to determine the extent of the breach, a cyber team to assess how the breach occurred and to determine the appropriate response. There would likely be a team to determine regulatory and legal compliance, and one to handle communications with the media and with impacted customers. And of course, some kind of command and control team to keep all the actions aligned and all parties informed.

Do we have the right equipment and facilities in place, now and planned for the future, to ensure we’re able to work in crisis? For the military that includes ships, planes and military supplies including weapons, ammunition, combat vehicles, and maintenance tools and equipment. But it also includes computers, networks, business systems and facilities.
It may be that our planning for certain crises indicates we need an alternate worksite in the case of a disaster, or that we need additional computers, network capacity or phone lines for call centers to respond to customer inquiries. Recognizing those needs when in crisis is too late.

Most importantly, do we have the right people? Do they have the right experience, knowledge, skills and abilities? If not, what can we do to close the gap? In the military that ‘gap’ in personnel readiness drives recruiting and training efforts. Compensation actions can focus on retaining key skill sets or enticing people to move to a hard-to-fill position. But again, if that team isn’t in place when the crisis occurs, it’s unlikely they can be assembled in the moment.

There is one final piece to the readiness puzzle that the military readiness system does not formally measure, but it is no less ingrained in their culture. Principled leadership ahead of crisis is possibly the single most important determiner of success in a crisis. The questions we must ask ourselves here focus on values and culture. Do we, individually and collectively, have a core set of values that guide our actions day-to-day – honesty, integrity, accountability, urgency? Do we cultivate relationships within our organization? Our customers? Our stakeholders? Do we value individuals and diversity, foster trust and work toward a culture of openness and transparency?

If present in an organization prior to a crisis, these foundational leadership elements dramatically improve the odds of successfully navigating the storm. Absent these principles, we’re like a ship without a rudder. When the storms come, the ship will be lost.
John F Kennedy once remarked that “when written in Chinese, the word ‘crisis’ is composed of two characters. One represents danger, and the other represents opportunity.” We have an opportunity to learn from Equifax and others, and to “make ready” ourselves and our organizations for the crisis that will come.