Life post-breach: Why one CSO says the worst days of a breach are the ones after it happens

Like the aftermath of a day at the beach without any sunscreen, the worst part of a security incident isn’t the day it happens—it’s the days that follow.

That’s according to IANS faculty member George Gerchow, who was formerly a CSO at Sumo Logic when it went through a security incident in 2023 involving an intrusion of an AWS account.

“It is an emotional roller-coaster when it’s over because you’re just like, ‘Okay, now what happens?’” Gerchow said. “And then CISOs, let’s face it, they’ve been blamed for a lot of this activity over the last few years.”

Not your average Turkey Day. Gerchow, now CSO at Bedrock Data, sat down with IT Brew to discuss what it was like navigating the cloud-native SOC company through the event, which occurred just before Thanksgiving that year.

“A threat actor got AWS credentials from a former developer that worked for our company that were left in clear text in GitHub,” Gerchow said. “Those credentials were then used to access something called TruffleHog, which looks for secret key management.”

Despite the untimely nature of the event, Gerchow said he and his team quickly and seamlessly sprung into action. Two forensic firms were brought in to investigate the incident, along with outside counsel.

“Everything that you’ve prepared for kicks in at that time,” Gerchow said, recalling the myriad tabletop and technical scenarios his team had gone through over the years. He described his role as a communicator, both internally and externally with stakeholders.

“One of the things that we did that was really smart, was we stood up a security response center that exists today,” Gerchow said. “That way, our thousands of customers could see exactly what was going on. Even if I had nothing to say, I would get in there and go, ‘Nothing has changed,’ but that constant communication was important.”

The aftershock. While Gerchow’s team operated like a well-oiled machine during the actual security event, he said moving forward from a security incident is often a hard task for security professionals because of the “what-ifs” that they face, including the fear of waking up and seeing a threat actor gloat about stolen data.

“Through Christmas and New Year’s of that year, and that incident in particular, I didn’t sleep at all,” Gerchow said. “I slept less during that time than going through the actual incident because I was afraid that maybe there was something we missed.”

After helping the company move forward from the incident, Gerchow’s time at Sumo Logic came to an end—a preplanned move delayed by the security event since Gerchow wanted to stay and support the company. However, during his first day at his new gig at a large public company, Gerchow was met with a surprise: yet another security incident.

“My next job, I start, day one, company’s going through an incident,” Gerchow said. “I came on board as head of trust to be more comms [focused] and [the] CISO resigns, and I ended up taking over the team.”

Growth experience. While security incidents are becoming more commonplace in the industry, they are no easy feat to overcome for CISOs and CSOs. Olivia Rose, an IANS faculty member and CISO and founder of boutique consultancy firm Rose CISO Group, told IT Brew security hiccups can take a large mental toll on professionals.

“It takes over your personal life so drastically, and it manifests in very negative ways: losing sleep, not working out, eating terribly, [being] worried about your team,” Rose said.

Gerchow said the Sumo Logic incident caused him to “lean a lot more into mental health” moving forward.

“There’s something about being the heroes, but there’s a toll that it takes on people, too,” Gerchow said. “And so, I really started looking for ways to let my team just breathe and do some things for themselves.”

Gerchow advised security professionals supporting companies through incidents to remain calm during the process.

“These negotiators…they don’t sweat. They get on the phone and when they’re talking to a potential threat actor…they don’t sweat. You better not sweat either,” Gerchow said. “You start sweating, your team sweats, the company sweats, and it all falls down.”