Empowering Business Leaders to be Savable Victims: Drawing Incident Response Insights from Rescue Scuba Diving
Training to become a rescue scuba diver is not just about learning how to save others; it’s also about understanding how to be a “savable victim.” In the context of cybersecurity, a savable victim is someone who, in the event of a security incident, understands their role and responsibilities, communicates effectively, and remains calm under pressure. As a victim, trusting your rescuer and following their instructions can make the difference between a successful rescue and a dire outcome. My experience in cybersecurity incident response and rescue scuba diving taught me the importance of proficient rescuers and cooperative victims. In the context of cybersecurity, a savable victim is someone who, in the event of a security incident, understands their role and responsibilities, communicates effectively, and remains calm under pressure.
One of the first lessons taught in rescue diver training courses is the importance of self-awareness. As a diver, recognizing your own limits is essential for preventing accidents. By understanding your physical and mental boundaries, you can avoid putting yourself in situations that may require someone to rescue you. Accurate self-awareness also makes you a more reliable victim because you can communicate your state and needs to your rescuer. In the same way, business executives experiencing a cybersecurity incident should have a keen sense of self-awareness. Understanding the extent of their knowledge and expertise in handling such situations can help them make informed decisions based on technical realities.
CISOs often need help articulating this, but many of their executive leadership teams make it difficult for the organization to respond well to security incidents. Essentially, they’re uncooperative victims. Poor planning (if at all), underinvestment, and real-time disruptions during an investigation, such as changing the course of action without consulting the CISO or interfering with the work of the response team, are symptoms that your executive team doesn’t understand how they can be most effective during an incident (or why they should).
At Discernible, we don’t just include executives in tabletops — we strengthen the relationships between security and business leaders so that when sh*t hits the fan, senior management has enough confidence in their CISO to not get in the way of response or recovery. They need to know what to do, when to do it, and when to stop – and most importantly, they must commit to their role and responsibilities in advance.
What does a savable victim look like?
Below are several common characteristics and traits that, when missing in executives, make it difficult for security teams to provide the necessary support and intervention.
Effective Communication
Effective communication underwater can be challenging, but it is a vital skill taught in every diving course, no matter how advanced your training. By mastering hand signals, body language, and communication devices, divers in trouble can convey critical information to their dive buddy or rescuer. When a diver can signal distress or provide details about your condition, it can significantly improve the chances of a successful rescue.
In cybersecurity, effective communication among team members, including senior management, is crucial for a prompt response and resolution of incidents. Business executives must foster a culture of open communication about security within their organizations, ensuring everyone – including themselves – knows how to speak about risk without fear-mongering, denial, or contempt.
Calmness Under Pressure
Panic is one of the most dangerous reactions in an emergency, both for the victim and the rescuer. It can exacerbate the problem and put the rescuer and the victim at greater risk. Rescue diver training emphasizes the importance of staying calm under pressure because we need to think clearly to assess the situation and regulate our physiological reactions. By practicing simulated rescue scenarios, you learn to manage your anxiety and maintain composure. As a victim, staying calm allows rescuers to assist you more effectively and reduces the risk of further complications.
Similarly, executives must maintain their composure during a security incident to lead their teams through the incident response process. A common source of panic during security incidents is well-intentioned leaders who either don’t know their roles and responsibilities before a security incident occurs or lack the discipline to follow through on the plan. Executives who fly by the seat of their pants or create disruptions during an investigation, even if they intend to be helpful, create chaos for the response team and external stakeholders. Because most executives don’t advance into leadership roles by sitting still and respecting boundaries, doing so during a security incident can feel foreign and uncomfortable. They need to be trained, like the U.S. Navy SEALs, to “embrace the suck" with predetermined and practiced actions that are helpful to the process. Giving executives something productive to do helps keep them calm, which allows everyone to think strategically, prioritize actions, and communicate effectively, thereby minimizing the impact and steering the organization toward recovery.
Insight into Rescue Techniques
Understanding rescue techniques from a rescuer’s perspective gives you valuable insight into the most helpful actions for your rescue. In scuba diving, you learn how to position your body to assist in a lift or conserve energy while waiting for help. This knowledge makes you a more cooperative and manageable victim, facilitating a smoother rescue process.
Rescue divers repeatedly practice emergency scenarios to build muscle memory and ensure our responses are automatic and efficient. Just as important is diving frequently without a scenario to keep our observation skills sharp and to practice executing safe dives. Ironically, routine non-emergency protocols are missing in many security incident response plans, and it is as if we don’t expect executives or cross-functional partners to know how things work when there isn’t an incident. Indeed, regular cybersecurity training and simulated attack exercises can significantly enhance an organization’s readiness to handle actual incidents.
Still, the best thing an organization can do to prepare for a security incident is to establish and document decision-making procedures for day-to-day risk acceptance, mitigation, and communication so that everyone you will need to make these decisions during an emergency will already know each other, trust each other, and be proficient in acting quickly together. A non-incident can become an incident in the blink of an eye, so the more your day-to-day operations incorporate the same people/teams from your incident response plan, the better your chance of a successful rescue.
Training as a rescue scuba diver goes beyond the skills of saving others; it equips you with the knowledge and composure to be a savable and helpful victim. By understanding the intricacies of rescue operations, maintaining calmness, and communicating effectively, you enhance your safety and those around you. Whether you’re the rescuer or the one needing rescue, these skills ensure that every dive is a safe and enjoyable experience. Imagine if CISOs knew how to teach their executive team to be more helpful, cooperative, and savable victims. That’s why we’re here!
Get insights delivered directly to your inbox by signing up for our monthly newsletter here. No marketing emails.