“These days a CSO probably won't get fired for being breached. But screw up the response - especially if it comes out that you haven't been routinely practicing - then you are in trouble” explained Ted Julian of Co3 Systems.
The industry is working to shift from a bias for breach prevention to the mindset of “assume breach.” The process means planning, measuring, and evaluating investments across prevention, detection, and response.
The sobering reality is that the wrong response is potentially career ending. The real risk to the tenure of a CISO today, how are you preparing to respond to an incident?
Ultimately, getting incident response right comes down to a few key elements.
Assess your current incident response maturity
To figure out where you stand, start with a simple question, “when was the last time the response itself required active involvement outside of IT?”
Then follow up with a few more questions:
- If you needed to involve someone outside of IT today, who would you go to?
- Are they prepared for your call?
- Do you have an established working relationship?
When I spoke with Ted Julian of Co3 Systems about the role of proper response, he suggested that the common members of an expanded team include, but isn’t limited to: executives, communications (PR & marketing), counsel, external partners, and HR.
Each member of the team plays an important role. That means building a relationship and creating a common understanding of terms and procedures. This includes external partners for crisis communication, response/forensics, and even law enforcement.
A crisis is not the best time for the first introduction. While it happens, actively working to avoid it is often the difference between success and failure. One way to build the relationships, awareness, and skills to respond skillfully is through simulated experiences.
Build the team through simulated experience
When I work to guide teams through scenarios and simulations, most people claim they read the procedures and are ready. Then we kick off the exercise and “things get real.”
Simulations bring response to life.
The key lies in crafting an experience that is focused and valuable. Co3 Systems provides a platform for response that actively shapes the training experience. Ted shared that clients using the system move from an annual exercise conducted with the best of intentions to a quarterly simulation with full participation.
As Ted explained,
“ Simulations make it easy to demonstrate the costs associated with security in terms that business people can understand. People can't do their day jobs. Regulatory fines and professional services fees can add up quick. For this reason, simulated incidents are probably the single most effective thing a security executive can do to raise their profile, foster trust, and earn respect. From there, expand budgets and additional resources will flow.”
What caught my attention is the ability of a platform to bring people together, guide the training, -- and then serve as the same interface during an actual incident. With regular practice, that creates comfort in the system.
It also leads to the ability to pull others in on more routine incidents. That gives them more experience and insight into your work. It also affords you insight into what they value, why, and therefore what we need to protect. Done right, it guides smarter investment in prevention, detection, and response.
Accept that you’re going to pay either way; make the better choice
In the wake of high-profile breaches are the discussions about the costs. Headline grabbing numbers capture attention outside of security. However, even the breaches that don’t make the news carry rising costs.
The 2014 Cost of Data Breach Study: Global Analysis, reported the average cost to a company was $3.5 million in US dollars. This is a 15 percent increase over last year.
The key is the 15% increase. What would it mean to have 15% less budget due to a breach?
While the results of studies like this invite debate, consider the recent experience and admission from eBay after their breach forced them to ask users to reset passwords, including
"The decline in operating margin was driven by expenses related to the cyber-attack and increased investment to increase the vibrancy of the site," Swan said. "Non-GAAP operating margin was 24.4 percent, down 190 basis points."
Adopting the mindset of “assume breach” may require the associated “prepare to pay.” The question, then, is whether we’ll work to be proactive and reduce the costs or handle them reactively. Reacting during a crisis has a tendency to drive costs up. It also sometimes confuses thinking and leads to further unnecessary investment.
Ted shared the upside, explaining that “Most firms have already heavily invested in prevention and detection - by definition additional investment in these areas will yield incremental improvement. In contrast, most firms have done relatively little with incident response - additional investment there can have a major impact.”
Better yet - elevate your status
In my experience, a focused approached to incident response that draws others into the program builds relationships, provides insights, and ultimately elevates your status.
- Involve the business in a range of incidents: to find out what the real priorities are. This eliminates the guess work, takes some pressure off you, and helps you focus on the right things over time
- Spread some of the work and decision making: this is an immediate answer to the challenge of staffing, but it doesn’t mean dumping stuff on people
- Build experience and understanding - in a mutual context: This gives you the ability to have a real discussion about risks, staffing, and solutions; based on practice and actual insights
It is another step toward getting the balance of prevention - detection - and response right. And in the process, you might just get the budget and staffing you need with the ability to focus on what matters most to the business.