Once again another company is on the heels of a massive data breach where intellectual property, customer records, private information, you-name-it, has been compromised, a security incident. The recent news of Adobe Systemsi where a malicious entity stole intellectual property and accessed millions of credit card numbers is another case where “if there is a will, there is an attacker that will find a way.”
I realize that not every organization is the size, nor has the notoriety as an Adobe, but the fact remains that if your business is on the Internet, in one way shape or form, you are a target; and most likely have already been hit. That is why it still amazes me that when the inevitable security breach occurs, it comes as a surprise. But even more surprising is the ensuing fear that exudes from the once-confident and stout information security professional who was the sentinel for the network.
This fear is unnecessary when you consider the fact that security standards such as HIPAA and PCI DSS all have elements of incident management and response embedded within them. If organizations are following a proper risk management plan to include an incident response process – when the inevitable occurs, they should feel a sense of relief, rather than fear and panic.
For those who are unprepared, the incident response process that ensues will determine and look to answer the questions of what, how, and who, but the perceived shame of the network breach still exists. The inescapable damage to pride and ego of the security professional is irrelevant. The lessons learned in the majority of these instances is the need for better communication and preparation.
Communicating the truth and facts to executives around security are essential. Fortunately, frameworks exist to help guide security professionals down the risk management and incident response path. For example, NIST 800-61ii , which provides the basis for most security requirements relates to incident management and response. Referencing a consistent and proven response framework into your plan cannot prevent the pain, but it goes a long way and can save the organization time, reputational damage and money. That being said, there are some standard “do’s and don’ts” when it comes to incident response and management.
- Have a plan that states what the roles of all security professional are.
- Communicate and share the incident response plans for WHEN a breach occurs.
- Understand and communicate the dynamic aspects of today’s threats.
- Communicate known gaps and mitigating factors.
- Conduct a root cause analysis as part of the investigation.
- Test, review, and update plans and learn from past experiences.
- Be silent. Not advocating your plan and sharing is the same as not having one. Others are involved. Make them aware.
- Share with management non-specific elements of the security and response program – be concise and accurate. This is what is expected when the alarm sounds, so communicate and live it.
- Rely on technology to solve problems.
- Blame. Ownership and resolution are of utmost importance. Blaming only deflects responsibility and shows weakness and uncertainty.
Accepting that attacks have happened and will continue to happen is part of being a diligent security professional. Living in a state of fear and uncertainty is a sign of the ill-prepared. Planning for an incident is taking the challenge head-on, knowing that there is going to be a battle and there will be losses, but limiting those losses is the difference between the professional that is updating their response plan, rather than their résumé.