Skip to main content

How To Survive Breach Failure (Part 1 of 3)

December 10, 2014

Many organizations have developed security response procedures to satisfy compliance and regulatory requirements; however, when a breach does occur we regularly see organizations making decisions or performing actions that don’t align with the established incident response plan. When this happens, direct impacts are usually obvious but further analysis is needed to consider the second-order effects.

In this blog series, we cover some opportunities for failure leading up to, during, and after security incidents, and offer professional tips on how to weather the storm. CISOs and security leaders need to be aware of the natural tendency to drift from established process in this area and be prepared with appropriate countermeasures to bring order to the resulting chaos.

Failures Before the Incident

Having a poorly written incident response (IR) plan
Countless articles have been written that underscore the importance of having a thorough and rehearsed IR plan. Rather than beating that dead horse, I’d like you to consider evaluating your IR plan from a different perspective to determine if it’s realistic and set-up for success or failure. An IR plan that can’t be executed effectively has little value and will undoubtedly be ignored during an incident. When in doubt, try using the “SMART” methodology to assess your plan:

Specific – Ambiguities lead to poor decisions; poor decisions lead to chaos; chaos leads  
to failure.

  • Do you have a list of clearly defined questions to quickly perform triage analysis needed to confirm/negate the incident and categorize it appropriately? 
  • Are roles/responsibilities up-to-date and supported by indisputable lines of authority? 
  • Are decision matrices clearly structured to minimize personal judgment and ensure response actions are congruent with the specific problem(s) detected? 


  • Do you have established benchmarks or metrics to measure the impact of an incident? 
  • How do you confirm your response is effective or questionably adequate?
  • Do you have thresholds that define when an acceptable level of recovery has been achieved?


  • Is your IR plan realistic, or does it hinge on resources and capabilities your organization doesn’t have? 
  • Do you need additional staff or tools to perform investigative analysis?
  • Will you need to undergo a contracting/procurement process to purchase technology or get an IR retainer in place for external forensic/legal support? 
  • Is the IR team constructed of management officials that are difficult to reach and may leave analysts with insufficient decision-making authority?


  • Does your IR plan align to the needs of the business? 
  • Does the organization understand the difference between an operational incident (outage) and a security incident? 
  • Does your leadership value the [sometimes] significant effort of performing a deep root cause analysis, or is it more important to restore service at the expense of forensic investigation? 
  • Have you educated end users and management officials about the importance of incident response and their responsibilities in the process?
  • Does your IR plan feature response strategies that management/operations will reasonably approve, or will recommended actions be dead-on-arrival (e.g.: completely taking down a non-redundant ISP connection or email system in a 24x7 operation)?


  • Are there regulatory or compliance requirements that specify how soon after a suspected breach your organization must report the incident? 
  • How much time will your team need for investigation to meet those targets?
  • At what point is the incident overcome by events (OBE) and thus the effort for further investigation is outweighed by acceptable loss? 
  • Do you have internal or external SLAs that determine when your investigation must be complete and your findings must be communicated by? 
  • Do you have the resources needed to meet the stated time-bound goals?

In my next blog post, I will discuss ways in which organizations fail during a breach. 

**Disclaimer: The observations above are subjective to interpretation and are not the result of any specific scientific study.

    Terrence Weekes

By: Terrence Weekes

Director, Information Security

See More

Related Blogs

March 08, 2018

Part 2: Frameworks in Context: The Business-Aligned Information Security Program and Control Frameworks

In part 1 of this series, we provided insights responding to the frequent question regarding control frameworks and their place in the security strate...

See Details

February 28, 2018

Part 1: Frameworks in Context: The Business-Aligned Information Security Program and Control Frameworks

During hundreds of strategy, risk and compliance engagements, Optiv’s consultants often have been asked very thoughtful and deep questions about contr...

See Details

April 08, 2015

Preparing for a Boardroom Discussion - Expect the Expected

Organizations must focus on many areas within the business to ensure corporate data and assets are secure. Even though there are competing priorities,...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy


May 30, 2019

Risk Management and Transformation: Third-Party Risk Management

Learn how to plan, develop and manage your third-party risk program.

See Details

December 07, 2016

Incident Response Readiness

Optiv’s on-site Incident Response and Readiness Assessment (IRRA) Workshop helps ensure that your incident response capability is measured against tod...

See Details

April 17, 2014

Attack Surface Reduction

Protecting yourself from the various cybersecurity attacks is more than just implementing the latest and greatest technologies. There should also be a...

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.