Incident Response Planning: Breach Brigade

Going public: When bad things happen to your enterprise, you'll need a team and a process in place to help you survive the hot glare of media scrutiny.

. What's this?

By Tracy Mayor

February 01, 2004CSO — A comedian once suggested that an executive's only viable option when cornered by Mike Wallace and his 60 Minutes crew is to fall to the floor and feign death. Let them in the door and you're toast; keep them out and you only incriminate yourself in the eyes of judgmental viewers.

These days, corporate security executives can be forgiven for secretly wanting to roll over and play dead themselves. Boxed in on one side by new public disclosure laws and regulations, and on the other by an evermore savvy and sensationalistic press, CSOs increasingly must find successful strategies for responding as their breaches play out in the public arena.

Thankfully, say experts, there are alternatives to chaos and panic when a physical or digital security incident (or both, as seems to have been the case in last August's power grid failure) becomes a matter of public knowledge.

Connie Emery, chief privacy and security officer at Tenet HealthSystem, is one security executive who's been blindsided by a breach and lived to tell the tale. When an internal user error sent confidential patient information to the wrong person, that individual called a local news station rather than the hospital to report the incident, triggering every CSO's worst nightmare.

"We were not aware of the problem when the media called, so that part was a worst-case scenario," says Emery. "But we immediately put our task force on it, and it wound up going very well, all things considered."

What put Tenet Health in a position to deal successfully with the unexpected? According to Emery, the company had a team identified and in place for just such an emergency; the team was quickly able to pinpoint the cause of the problem; and a C-level hospital executive was ready to deliver a clear, succinct explanation and message of reassurance to the public.

As in nearly all other aspects of security, preparedness is the watchword for successful public communication. Security officials from industries as diverse as health care, finance and transportation say the key is to have a plan in place before you ever pick up that phone to find a reporter or irate business partner on the other end.

Every company should have an incident-management plan, and every company's incident-management plan should include a communication component to help determine who gets told what when and how once a breach has occurred. "If you don't have a plan up front, you're going to misfire," says Michael Rasmussen, a Forrester Research analyst who specializes in security. "You need to have public relations in place. Otherwise, you communicate too much or communicate inaccurate information."

What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
Don't have an account yet?
RESOURCE CENTER