How To Survive Breach Failure (Part 3 of 3)
December 15, 2014
To effectively prepare for the possibility of a breach, it is paramount for your organization to have an effective incident response (IR) plan in place, and then stick to that plan if your organization does become under attack. But even if you successfully navigate through the incident, there are still several moments presented after a breach that are potential failure points for organizations. I outline a few of these below.
Failures After the Incident
Not acknowledging the breach to those involved and affected
Many security breaches could have been prevented with properly implemented controls, and it’s not uncommon for an employee/team to be aware of the vulnerability that resulted in exploitation. He/she/they may have even vehemently advocated addressing the issue before it’s too late and would enjoy nothing more than to say “I told you so”. Management’s refusal to mitigate a known risk and/or unwillingness to acknowledge a security breach can result in internal perception of lack of integrity within the organization’s senior ranks. Employees that don’t feel aligned with these decisions will either a) intentionally (disgruntled) or unintentionally (frustrated) leak information about what happened, or b) leave the organization altogether to avoid being part of a culture that doesn’t do “what’s right.” Both can have negative effects that may not be realized until it’s too late. As CISO, you may be responsible for communicating decisions that don’t necessarily reflect your personal beliefs. When doing so, it’s important to have the conversation in the broader context of overall risk management. While a breach may be the worst thing that can happen on a security professional’s watch, many breaches have little to no impact on the “big picture” (e.g. total annual revenue) and thus it may not register as a significant concern on management’s overall risk radar. In some cases, leadership privately anticipates dealing with a certain amount of security incidents and hopes they can be mitigated legally or by cyber insurance—as long as the bottom line or share price isn’t significantly affected long-term. Right or wrong, cybersecurity can dwarfed by many larger issues your board is concerned with.
Making no attempt to improve
Some security professionals live for the breach; some fear it and avoid it like the plague. I’m probably somewhere in-between. But one thing I know is that every breach is a learning opportunity. We’ve heard this for years, but it’s no longer a matter of “if” your security will be breached—it’s a matter of “when” it will happen. If you’ve already been through a breach, don’t think you’re on holiday and that you can return to business as usual. If anything, the breach has already been discussed in the hacker underground and your incidents are likely to increase. Hence it’s critical you look for areas of improvement. Conduct a reasonable postmortem after every breach attempt. Look for areas where the established IR process broke down or may have been too unwieldy for your organization. Look for inefficiencies that caused delays in response time. Identify members of your organization who tend to “go rogue” and deviate from defined procedures. Seek out event trends and plot them against threat models to validate investment decisions for upcoming budget cycles.
Conclusion: You Can Do This
Some CISOs believe the expectations being levied against them are unfair. The good news is our profession is finally being given the opportunity to move from the “kiddie table” to the “grown-up’s table,” and how we conduct ourselves during a security breach can either accelerate this transition or slow it to a grinding halt. Keep these tactics in your back pocket as an alternate lens to look through at your organization. You may discover issues you had not previously considered.
Do you agree? What other areas do you see organizations failing during a security breach? Let us know in the comments section below.
**Disclaimer: The observations above are subjective to interpretation and are not the result of any specific scientific study.