My BLG teammates and I take the privilege of guiding clients through the perils of cyber incidents seriously. To honour the privilege, we think deeply about various aspects of our performance, including how we can perform better under pressure. Dr. Dan Dworkis’s book, The Emergency Mind: Wiring Your Brain for Performance Under Pressure is now required reading.
Dr. Dworkis is a professor of medicine and an emergency physician. His book, published in 2021, is part of a project that includes a website, podcast and other supports for individuals and teams striving to perform better under pressure. Dr. Dworkis calls The Emergency Mind a “mental toolkit.” It’s comprised of 25 prescriptions for how to think and act in high pressure situations.
When I picked up The Emergency Mind and started in, I was immediately excited. For me, there’s no greater measure of a text than its relevance, and The Emergency Mind was packed with relevant ideas. I connected with them as a lawyer and an athlete, but drew most insight in respect of my role as a cyber incident coach and team lead. I took some notes while reading, and have turned them into the table below. The left hand column summarizes some key ideas from The Emergency Mind. The Right hand column are my notes (now edited) on their application to cyber incident response.
| Practice the discipline of “suboptimal” | |
| Idea: Bad outcomes and mistakes will happen. Identify (label) and accept the mistake, rapidly pivot to face the new reality, and learn from the event. Quote: “Personally, when I perform the labeling part of a response, I begin by saying, ‘Well, this is suboptimal.’ Labelling something as ‘suboptimal’ acknowledges the challenging nature of what is happening without pulling me or my team off-line the way that calling it ‘horrible’ or ‘hopeless’ might.” | Labelling thoughts and emotions is a well-known and effective mindfulness technique. To use it in incident response, one must first acknowledge that incident response can provoke emotion. This is true, especially when things go wrong. Evidence is sometimes deleted, information is leaked or conveyed to third parties prematurely, threat actors do not do what is predicted, and so on. When faced with these problems, the team must resist the urge to dwell on the matter of fault and continue to look forward. Learning comes later in the incident response process, at least after the acute phase has passed. I also appreciate Dr. Dworkis’s use of the term “suboptimal” because it mirrors the typical objective we set in guiding clients through an incident – to “optimize” the course of action in light of business, reputational and legal risks. Use of the terms “optimal” and “suboptimal” highlights the fluid nature of incident response. There are always multiple paths to the end. |
| Combine action and analysis | |
| Idea: Have and foster an ability to apply the right mode of thinking and action – be it fast or slow. Quote: “When you are not forced to act, jumping into a response without further analysis of the emergency is sometimes a bit like throwing darts without looking at the dartboard. You might hit the board, but because you don’t understand where you are aiming, you’re much more likely to miss the target entirely and waste your darts.” | This is reminiscent of an idea I have shared with associates about practicing law fast and slow, adapted from Daniel Khaneman’s text Thinking Fast and Slow. We need to know when a legal problem deserves a quick handling – enabled by assumptions and qualifications – and when we must buy time for more robust analysis. In incident response, we are primarily in fast thinking, “action mode.” There are moments on calls when you need to pause, draw deep on experience and instinct, and declare how best to proceed. The qualification is implicit, though sometimes we explain that we are making a decision based on “gut.” At the same time, slowing the pace of decision making down is a major responsibility of a cyber incident coach. Dr. Dworkis’s dart board metaphor can illustrate the tendency of many inexperienced incident response teams to rush at the outset of a cyber incident. I’m not counselling inaction, but most teams will benefit from a pause and emotions check at the outset. There is more time available than you feel. |
| Favour praxis over theory | |
| Idea: Identify solutions that can actually be applied in the moment whether or not they represent theoretical best practice. Favour praxis – the application of knowledge to real life. Quote: “One of the best ways you can start to consider the details of praxis and theory in your field is to explore deeply the actual mechanisms that must function correctly for you to deliver your skill. Get curious about how the sausage is made, so to speak. Lean into learning both deeply in your chosen skills, and laterally into the adjacent skills that help you and your team succeed.” | This is a good one for me, particularly as it pertains to the challenge of analyzing large, stolen data sets. Doing a proper analysis based on e-discovery is plainly the ideal, but e-discovery is expensive and time consuming, and time-to-notify is a very visible fact. Burning weeks and months on e-discovery can spoil an excellent early-stage response, leaving an organization who has spent the time and money to “do the job right” the subject of overwhelmingly negative judgement and outcry. So, before engaging in e-discovery, we build the best possible informal view of the data set, we build towards reasonable assumptions, and we see if classes of individuals can be notified without e-discovery. We help clients weigh the risk of “over notification” against the risk of delay. These solutions are neither precise nor pretty, but can be defensible. |
| Decide not to decide | |
| Idea: Do not waste your decision-making resources. Devote them to the most important and difficult decisions. Quote: “During an emergency, the most critical decisions are those that irreversibly (or at least strongly) commit your team to a particular mental model or course of action.” | No cyber incident coach is happy to be brought into a matter and paired with an incident response forensics vendor who has already been retained. That single decision bears more on the outcome of an incident than any other in my view. This is because we must trust the chosen vendor, especially regarding the scope and depth of the investigation. There is a limited ability to consider and discuss the scope of forensic evidence collection, and deference to a vendor’s standard practice is the norm. These practices vary, and over and under scoping an investigation can have highly negative consequences. |
| Practice Wabi-sabi | |
| Idea: Employ the Japanese concept of wabi-sabi, which emphasizes the values of simplicity, imperfection, and transience. Quote: “… if you deny that situations change, you create a potentially dangerous schism in your universe and the reality around you. As this gap increases, the solutions and plans you had generated before reality changed will be rapidly ineffective.” | My strong preference is to contact a threat actor early because it is a fast way to gather reliable information and because it is a means of enhancing control and keeping the primary adversary in view. Threat actors – perhaps frustrated by repeated engagement with organizations who are more interested in investigation than payment – have adopted countermeasures, becoming very stingy with their information. We also recently provided counsel on an incident in which our client had reliable intelligence that a threat actor would be slow to publish in the absence of contact, which meant it could delay a reach out while remaining in control. This perfectly illustrates Dr. Dworkis’s point. The Wabi-sabi way demands detachment from a tactic we have so often helped clients deploy to a successful end. |
| See the forest and the leaf | |
| Idea: Default to an attention span that is zoomed in, but don’t lose sight of the whole field. Quote: “… emergency medical providers often find themselves handling multiple sick patients simultaneously. In these circumstances, it might not be possible, or desirable, to completely restrict your focus to a single patient. Here, communication and delegation are key, and cognitively offloading some of your thinking to skilled team members helps you deploy your focus where you need it most.” | At any given time, we will be working with ten to twenty clients who are responding to incidents – our patients. As a team lead, my attention is drawn most to those clients with incidents in the acute phase, which lasts from one to three weeks. Beyond that, incidents move into a slower phase that involves e-discovery, notification and reporting. We delegate much of the work in that phase to an excellent team of associates. These associates have a greater degree of technical knowledge about the latter phase of incident response than the partners who act as leads. Given the money spent on e-discovery and notification, the latter phase of incident response is not low risk, but it does move slower, and tasks can be delegated effectively with good communication. Good communication requires a lead to “run the board” regularly – re-building a view of all cases – and making course corrections before small latter phase problems grow. |
| Harness the wisdom of the room | |
| Idea: To the extent possible, rely on information and knowledge from every individual on the team. Quote: “As a leader, you will frequently feel tension between your need to process multiple points of view and to move forward rapidly with a plan. At some points during a crisis, your emphasis should be on action and execution of your plan. At others, the emphasis might be on unifying your team’s vision through open discussion.” | Dr. Dworkis recommends asking the team, “What are we missing? What have we not tried yet?” I’ve done more of this questioning at his urging, and like how it affects the team dynamic. It’s an acknowledgement that incident response is complex, that there are few clear answers and that the perspective of the team matters. It’s an invitation to humility, and a humble crises leader is a good crises leader. |
Preparation and performance under pressure go hand in hand, and we all know that preparation for cyber incidents is a critical best practice. My urging to cyber responders (lawyers and non-lawyers alike) is to expand your scope of preparation to encompass performance under pressure. This will help you develop fundamental skills and behaviors to that will have an impact on your and your teams’ performance. Reading The Emergency Mind would be a great start.
All About Information 