Maturing IR Capabilities into an Incident Management Program – Part 3 of 3
April 21, 2017
Incident response has become one of the most critical aspects of any overall security strategy, but a solid incident response program (IRP) is something many organizations – both large and small – either lack entirely or don’t take seriously enough.
In part one of this blog series, we surveyed where to start with incident response planning, covering some supporting components of incident response and security incident management programs. In the second part, Optiv’s IR consultants gave us insight from the trenches on how to build a solid IR plan, as well as common mistakes in IR planning they have worked with customers to correct.
In this last segment, we will tackle the steps beyond IR planning - what capabilities must companies possess in-house or be prepared to outsource, in order to mature their existing IR program to meet their business needs? At what stage does an IR program mature to a security incident management program? Does every company need a comprehensive incident management program?
What is a security incident management program?
Optiv defines security incident management as: a security-centric program designed to prepare and orchestrate all aspects of the business in responding to a cyber security incident. The “all aspects of the business” part of that definition is what makes an incident management program broader than a more technical-focused (even well-planned) IRP. An enterprise-wide security incident management program is aligned with legal, regulatory and fiduciary customer responsibility and is designed to manage the business impact (operational, brand, financial, etc.) posed by cyber security incidents and attacks.
What capabilities are needed as part of an incident management program?
Key capabilities for an incident management program include the ability to verify a security incident has occurred (and prioritize based on potential impact to the business); collect and investigate the incident (log capture and analysis); orchestrate response and remediation efforts across the organization (including third parties and cloud vendors); remediate or mitigate the incident; reporting for regulatory and legal evidentiary requirements.
Additionally, an incident management program will have an overall strategy, and be able to impact security program strategy, architectures and resource investment. Programs always require oversight, or governance and measurement. Governance to ensure effective execution, and measurement to help articulate the value of the program. The program, as it matures, will include more focus on preparedness: planning, testing, standardized tool selection and/or automation efforts, and process documentation.
When does an IR program “mature” into an incident management program? Does it have to?
In Optiv’s maturity model, an IR program matures into an incident management program between stages four (Adaptive) and five (Purposeful). Key indicators of a transition include: incident prioritization based on the outcome of a risk assessment; the security team’s incident response orchestration efforts and ownership moves beyond technical response and remediation teams to the rest of the business; and response gains C-level sponsorship as a major component of overall security strategy and investment.
Does every company need a comprehensive incident management program?
Every company, regardless of size, needs to make a conscious, intelligent choice in how mature their incident response and incident management program needs to be. Corporate and small business leaders alike need to understand legal requirements, regulatory requirements, and even cyber risk insurance requirements around data breach disclosures, penalties and coverage. It’s perfectly acceptable to not have a higher maturity incident management program, but decision makers need to understand the risks to the business. There are a number of IR providers out there (including Optiv) that can help companies understand their legal and regulatory operating environment, and custom-build the program that’s right for the business – with a roadmap for the future.
The next place to look at how IR can impact your business is in the cloud, on the go (mobile) and in your application development practices. Stay tuned to the Optiv blog for more great insight into maturing your security programs.