Skip to main content

How To Survive Breach Failure (Part 3 of 3)

December 15, 2014

 

To effectively prepare for the possibility of a breach, it is paramount for your organization to have an effective incident response (IR) plan in place, and then stick to that plan if your organization does become under attack. But even if you successfully navigate through the incident, there are still several moments presented after a breach that are potential failure points for organizations. I outline a few of these below.

Failures After the Incident

Not acknowledging the breach to those involved and affected
Many security breaches could have been prevented with properly implemented controls, and it’s not uncommon for an employee/team to be aware of the vulnerability that resulted in exploitation. He/she/they may have even vehemently advocated addressing the issue before it’s too late and would enjoy nothing more than to say “I told you so”. Management’s refusal to mitigate a known risk and/or unwillingness to acknowledge a security breach can result in internal perception of lack of integrity within the organization’s senior ranks. Employees that don’t feel aligned with these decisions will either a) intentionally (disgruntled) or unintentionally (frustrated) leak information about what happened, or b) leave the organization altogether to avoid being part of a culture that doesn’t do “what’s right.” Both can have negative effects that may not be realized until it’s too late. As CISO, you may be responsible for communicating decisions that don’t necessarily reflect your personal beliefs. When doing so, it’s important to have the conversation in the broader context of overall risk management. While a breach may be the worst thing that can happen on a security professional’s watch, many breaches have little to no impact on the “big picture” (e.g. total annual revenue) and thus it may not register as a significant concern on management’s overall risk radar. In some cases, leadership privately anticipates dealing with a certain amount of security incidents and hopes they can be mitigated legally or by cyber insurance—as long as the bottom line or share price isn’t significantly affected long-term. Right or wrong, cybersecurity can dwarfed by many larger issues your board is concerned with.

Making no attempt to improve
Some security professionals live for the breach; some fear it and avoid it like the plague. I’m probably somewhere in-between. But one thing I know is that every breach is a learning opportunity. We’ve heard this for years, but it’s no longer a matter of “if” your security will be breached—it’s a matter of “when” it will happen. If you’ve already been through a breach, don’t think you’re on holiday and that you can return to business as usual. If anything, the breach has already been discussed in the hacker underground and your incidents are likely to increase. Hence it’s critical you look for areas of improvement. Conduct a reasonable postmortem after every breach attempt. Look for areas where the established IR process broke down or may have been too unwieldy for your organization. Look for inefficiencies that caused delays in response time. Identify members of your organization who tend to “go rogue” and deviate from defined procedures. Seek out event trends and plot them against threat models to validate investment decisions for upcoming budget cycles.

Conclusion: You Can Do This

Some CISOs believe the expectations being levied against them are unfair. The good news is our profession is finally being given the opportunity to move from the “kiddie table” to the “grown-up’s table,” and how we conduct ourselves during a security breach can either accelerate this transition or slow it to a grinding halt. Keep these tactics in your back pocket as an alternate lens to look through at your organization. You may discover issues you had not previously considered.

Do you agree? What other areas do you see organizations failing during a security breach? Let us know in the comments section below.

**Disclaimer: The observations above are subjective to interpretation and are not the result of any specific scientific study.


    Terrence Weekes

By: Terrence Weekes

Director, Information Security

See More

Related Blogs

March 08, 2018

Part 2: Frameworks in Context: The Business-Aligned Information Security Program and Control Frameworks

In part 1 of this series, we provided insights responding to the frequent question regarding control frameworks and their place in the security strate...

See Details

February 28, 2018

Part 1: Frameworks in Context: The Business-Aligned Information Security Program and Control Frameworks

During hundreds of strategy, risk and compliance engagements, Optiv’s consultants often have been asked very thoughtful and deep questions about contr...

See Details

April 08, 2015

Preparing for a Boardroom Discussion - Expect the Expected

Organizations must focus on many areas within the business to ensure corporate data and assets are secure. Even though there are competing priorities,...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.


Privacy Policy

RELATED INSIGHTS

July 21, 2015

Network Security Solutions

Learn how we help protect your environment while maintaining connectivity.

See Details

May 09, 2018

Application Security

Learn how Optiv can help protect your most critical enterprise applications from both internal and external threats.

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.

Subscribe

Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.