Work with the right people.
"We're operating in two courts at the same time the court of public relations and the court of law," says Joe Brennan, executive director of communication and marketing at Ohio University, which suffered a series of data breaches in 2006. "The CIO has to know that what the organization says and does can expose the company to legal risks."
To minimize such risks, reach out fast to the nontechnical folks who can help you, says Janice Malaszenko, who has served as CIO and chief technology officer at several Fortune 1,000 companies. Those people include human resources staffers, who can help deal with employee-related issues; public relations people, who might need to field questions from the media; and legal staffers, who will help craft responses to public and legal inquiries.
You also might need the chief financial officer to authorize emergency spending, accountants to track spending for insurance claims, or operations folks to work overtime to make adjustments as IT gets everything back up and running, Brennan says.
It's also important to touch base with executives from your vendor companies, says Dennis Fishback, CIO at Calpine Corp., an energy producer in San Jose. That way, you can reach them quickly if you can't get what you need through the normal chain of command.
Identify the problem, then dig deeper.
The recovery process must include a root-cause analysis, Malaszenko says. So while your IT team is containing the situation to prevent further damage, you and your staff must be analyzing the underlying problem to prevent it from happening again.
That's just the start, though. "Look around at the environment and ask what other scenarios or situations could happen," says George McBride, director of IT risk consulting at Aon Consulting Worldwide in Chicago.