Are you ready to anticipate breach?

Leadership mindset is the key to success when it comes to handling breaches and better security

01 breach

Breach Happens

Have you been affected by a breach? Gotten the notice in the mail that your payment card or other information may have been compromised?

More hands are raised each time I ask my audiences that question.

Do you think we can prevent all the security breaches?

Most accept that “breach happens.” That leads to a better question:

Do we need to prevent security breaches?

Use the following slides to consider your answer to that question. Hopefully you come away with a new perspective. And a renewed sense of optimism for the future.

02 symptom

A breach is only a symptom

I introduced the concept of the “human paradox” in my book Into the Breach. In the process, I realized that a security breach -- however you define it -- is only a symptom:

“The problem is that people have been unintentionally—but systematically—disconnected from the consequences of their decisions. As a direct result, they do not take responsibility and are not held accountable. Treating a breach as the problem only makes this worse."

We’re at an inflection point. The nature of breaches, the impacts, how they get reported. It’s all changing. And that’s a good thing.

03 bias

Ending the bias for breach prevention

Part of the shift requires ending our bias for breach prevention. Our bias for breach prevention is causing blind spots. It’s a natural response to the questions that come with a breach announcement. People demand to know how it happened. Why it happened. And why it wasn’t prevented.

That leads to a call to “do something, anything” so this doesn’t happen again. That creates a trap. Inertia frees up funding and support for solutions that promise to prevent breaches.

This isn’t a call to abandon prevention. But the bias for prevention frequently excludes the necessary focus on detection and response.

04 reporting

The changing tide of reporting on breaches

We’re growing tired of cagey answers after a breach. Every attack wasn’t sophisticated, complex, or unprecedented. Companies concerned about lawsuits and public image adopted an approach to suggest they weren’t at fault. It often devolves into “victim shaming.” Plenty of post-breach analysis suggesting all the things the victim company did wrong.

A new trend is emerging. Smaller companies are leading a more transparent effort to explain the breach. They share what happened. They provide details. They explain what they learned. They offer insight and provide confidence that it mattered.

It demonstrates the importance of detection and response. The companies that detect problems and respond appropriately gain favor. Minimally, they don’t seem to suffer.

It’s a new, welcome trend we need to encourage more of.

05 leadership

Leadership mindset drives success

The key to better security is leadership and communication. The pathway requires a mindset of success.

As a first step, stop consuming a steady diet of negative news. A common side effect of the bad mental diet is to question if security even matters. Security matters. After knocking out the negative, change the story you tell yourself. Consider the story you tell others.

Breach happens. Instead of focusing on gaps, work with your colleague to adopt a different approach.

06 anticipate

It’s time to “Anticipate Breach”

A breach is not inevitable. All hope is not lost. The opportunity is for the organization to anticipate breach (read more here).

The word ‘anticipate’ is the focus. Anticipation carries a connotation of preparedness. It is a positive, favorable concept. It replaces my previous assertion of “assume breach” -- which I cast and twisted into a positive by way of questions.

Anticipate breach is the path for leaders to protect their companies.

07 questions

Use questions to shift the approach

The way to anticipate breach is to ask questions. Start high level. Stay functional and focus on mutual understanding. Don’t worry about technical considerations until later. They can wait.

This is a dialogue. An opportunity to explore. To learn together.

It’s not about offering quick answers. Even if you think you know the answer. This isn’t a time to lead with solutions.

Start with a basic question. Then bring it back to basic questions that start a conversation about prevention, detection, and response. But work in a different order. Start with detection. The next few panels help get the ball rolling.

08 happens

What happens if we get breached?

The easiest way to get started is to ask, “what happens when breach happens?”

Don’t be surprised if you ask and the first answer is “nothing.” Or a shrug and puzzled look. We spent a lot of time in security exploring and understanding threats. We know attackers explore and exploit just about anything they can get their hands on. This is your chance to do the same (read more about how here).

This is a chance to learn. Find out how the system/solution works. Explore what would create problems. Investigate how you could evidence that. What is the signal to look for? What is the damage? Are there steps we can take?

09 detect

How fast can we detect something wrong?

This question applies to everyone. Ask the business what they’d look for. Explore the options available to you.

Speed counts. Accuracy counts more. Consider the difference between an alert and a confirmation. The key is building the capability that detects when something goes wrong… without increasing the burden on your team.

Hidden in this question is figuring out how quickly you need to detect something wrong.

10 respond

How well do we respond?

This is about appropriateness. What is the best response? Based on the ideal, how well do you do today? What changes get you closer to the ideal?

Based on the range of things that happen, consider how to map who needs to be involved. Figure out how to coordinate before, during, and after the response. Build in the time and effort to rehearse scenarios. Learn and work together.

11 working

How is our prevention actually working?

In the series of prevention, detection, and response, I ask this question last. Most focus on prevention, and bringing it up early tends to place focus on the wrong things. Once a clearer picture of detection and response emerges, ask about prevention.

Take the time to explore how the preventative controls work. Question if they are providing the results expected. Even better is measuring the value.

Is your prevention actually protecting the right things? If not, then perhaps some adjustments are in order. Maybe it offers insights where to focus detection efforts.

12 sprint

Security is not a sprint

These questions reveal opportunities. Prioritize and focus on what creates the most value. Learn from the experience. Capture and amplify the success.

Then ask the questions again.

Security is not a sprint. It’s not a marathon, either. It’s a journey. There is no destination. It’s an experience. A mindset.

Stop thinking of security in terms of winning and losing, and start thinking of it as an infinite game. A way of life.

What matters in an ‘infinite game’ is whether you are better today than you were yesterday. And the exceptional leader makes sure the people around them are better, too.

Are you ready to anticipate breach?

Copyright © 2015 IDG Communications, Inc.

Related Slideshows