"Oh, we're good at incident response, we get a chance to practice it every day," the CISO explained with a chuckle. Despite the laugh, he was entirely serious.
A common notion, the reality is that engaging in incident response on a regular basis doesn't necessarily indicate competence or success.
While some companies may actually be good at incident response, most have room for improvement. If you think you've mastered incident response, question the types of incidents detected and time to resolution.
Is your enterprise *really* good at incident response?
If the common “incident” is detecting a virus on a laptop, that doesn’t necessarily indicate how your team would do in a more critical or advanced incident scenario.
That means there is a need to think about incident response a bit differently. An opportunity to consider the entire system of prevention, detection, and response with an eye for improvement.
Joan Pepin, Director of Security for Sumo Logic, spoke with me to share additional insights based on her experience building more effective incident response capabilities.
Considerations before investing in incident response solutions
Joan started our conversation confirming “security metrics are key. Organizations must take a data-driven approach to understand the incidents they experience and how they respond to truly evaluate their success and weigh solutions.”
That means asking evidence-based questions before investing in high-cost technology, services, or personnel focused on addressing broad or specific types of incidents. To get started, ask and quantify the following:
- How much does a typical incident cost in lost productivity?
- Do the incidents typically require the use of external resources? If so, what cost is associated with their time?
- What is the cost of a potential solution? What is the expected benefit from the solution, and how is it measured?
These questions guide the right conversations about what is needed. Taking the time to work through them prevents buying a tool or solution that does not match the actual threat or provide a demonstrable return.
How to break down financial impact of an incident
Asking questions often drives the need to get a more complete understanding of the financial -- and human -- impact of an incident.
Here are some suggestions to dig deeper based on the conversation Joan Pepin and I shared (too bad we didn't record it). We took on the common example of a virus infection on a desktop (or laptop):
- Lost productivity: with an average salary of $50,000/year, losing a day to a virus would cost roughly $200 (work with HR to get more accurate average hourly costs in your organization)
- Remediation costs: on average, it costs roughly $100 for IT to re-image the device (doesn't include cost of lost data)
- Factor in additional costs: use a percentage -- 20% is reasonable -- for missing key meetings, delays in calls, or other harder to quantify impacts
That totals an average cost of $300-400 for each virus infection incident. Multiply this amount against the number of expected virus infections to get a rough estimate of the annual cost. Repeat the process for the most common incidents to get a baseline for the costs of typical response scenarios.
This is helpful when a series of small incidents adds up to the financial impact of one large incident. Working through this process puts the cost of the "daily exercise" into perspective.
What are you protecting, anyway?
An understanding of the costs associated with incidents helps guide the selection of the right solutions. Equally important is a clear understanding of what information and assets require protection.
As Pepin explained, “To best protect their data, enterprises must know what their ‘crown jewels’ are. Without an understanding of their sensitive, business-critical data, it’s impossible to put the right processes in place to secure it.”
Use visualization and other techniques to gain insight into what needs protecting. That also helps evaluate the impact of potential solutions on people, and how they do their jobs. It is important to ask and truly consider if a service or technology change impacts other important services.
If there isn’t a clear understanding of what assets or processes are higher priority (or more valuable), consider the following:
- Does the asset impact or process financial transactions? If so, what is the potential range of impact?
- Is the asset public-facing, like a consumer website? If so, how would you value the impact to your brand of an outage?
Once you understand the true costs that your business faces, look to see if you have the right team in place – with the right skill sets.
Optimize your incident response
By understanding the incidents that you face and the talent that it take to address them, an organization can better see if they have the expertise it takes to meet the needs that exist today.
According to Pepin, “in an age where Big Data is almost as hot as IT security, being able to leverage the data hidden within your business to better understand and protect it can offer real cost and competitive value to organizations of all sizes.”
The key is tracking the right information to look for ways to enhance current capabilities. Look for ways to improve detection, lower the cost of response, and determine where additional solutions or outside help is warranted.
Not all incidents can be prevented (despite a prevailing prevention bias). Adopting an evidence-driven approach leads to an improvement in detection and the capabilities necessary for better response.