3.4: Reporting Incidents Up

Reporting Incidents Up

An incident is in progress. Something is breached, or something is down, or something strange is happening in a logs query and you’re not sure yet what you’ve got. The first message you send up — to the CEO, to the board chair, to the exec staff — will set the tone for everything that follows. Get it right, and the organization lines up behind you. Get it wrong, and you spend the next week answering questions instead of running the response.

The 24-hour template

Use this template for the first notification, every time. It fits in a Slack DM, an email, or a phone-call outline.

1. What happened. One sentence. Plain language. “At 06:12 UTC this morning, we detected unauthorized access to the customer-support Zendesk admin console.” Not “a potential security event” — an event if it’s an event, a potential if it’s a potential, always specific.

2. What we know. Three to five bullets. Facts only. “Access originated from IP X, geolocated to Country Y.” “The account compromised is [name].” “Session lasted approximately 14 minutes.” “No mass export of tickets was observed in the audit log.”

3. What we don’t know yet. Three to five bullets. Also facts. “We do not yet know the initial compromise vector.” “We have not yet confirmed whether data was viewed (as opposed to accessed).” “We have not yet validated the audit log’s completeness.” Stating the unknowns explicitly is the single thing most security leaders fail to do, and it is the thing that most distinguishes calm competence from handwaving.

4. What we’re doing. Present-tense actions with owners. “Rotating credentials on [system] — owner: [name] — ETA 30 minutes.” “Pulling full logs for the 14-minute window — owner: [name] — ETA 2 hours.” “Engaging outside IR firm on retainer — owner: [you] — ETA initial call by 09:00 UTC.”

5. When you’ll hear from us again. A concrete next-update time. Always. “Next update at 12:00 UTC with a read on the exfil question, or sooner if that read arrives.” Never “we’ll keep you posted.” That phrase is an instruction for the recipient to ask you every 15 minutes.

Five elements. Fits on a screen. Sent within the first hour of confirmed event, then re-sent on whatever cadence you set.

Why tone matters as much as content

The template above is neutral and specific. That is the tone you want. Not reassuring — reassurance without facts is insulting, and the people on the other end can tell. Not alarmist — alarm without plan is panic, and panic delegates nothing.

Calm, specific, time-bounded. Three adjectives. Read the template above and mark which sentences hit all three. Every sentence should.

Why concealment is a crime

In late 2016, Uber discovered that attackers had accessed a database containing the personal information of 57 million users and drivers. Rather than disclose the breach, then-CSO Joe Sullivan authorized a payment of $100,000 to the attackers, routed through the bug-bounty program and accompanied by a non-disclosure agreement, to characterize the incident as a legitimate bounty submission. The breach was concealed from regulators, from affected users, and during an active FTC investigation into Uber’s prior 2014 breach.

When the concealment was uncovered, the consequences were significant. In 2018, Uber paid $148 million to settle with state attorneys general. In October 2022, Joe Sullivan was criminally convicted on federal charges — obstruction of justice and misprision of a felony — making him the first former corporate security officer convicted of a crime tied to breach response. He was sentenced to three years of probation in May 2023.

The case changed the calculus for every security leader in the US. The legal obligations to disclose — which vary by jurisdiction, by regulatory regime, and by contract — are not negotiable and are not hidden from prosecutors. The people covering them up are personally liable. Your general counsel is not optional on an incident; your general counsel is the reason you stay out of the Joe Sullivan chair.

A single rule: when in doubt, disclose. The cost of over-disclosing to your board, your GC, your regulators, and your customers is a harder week. The cost of under-disclosing is in the caselaw now.

One more note on cadence

The 24-hour template isn’t one message — it’s a rhythm. First message in the first hour. Update at a fixed cadence (2 hours, 4 hours, 24 hours, depending on severity). Final message when the event closes, with a clear statement of what changed and a date for the post-incident review.

The organization’s confidence in you is not built on the content of any single update. It is built on the fact that updates arrive when you said they would.