No one plans to fail, but many fail to plan
August 31, 2016
In the information security community, we talk often about incident response plans and the need to conduct regular tabletop exercises. Where we fail is to prepare at the enterprise level.
What happens when your corporate policy prohibits retainer services for technology work, but you need a technical first-response team? What is your enterprise approval policy for high dollar value expenditures? Have you discussed at the enterprise level what data you store, process and transmit and the relative level of impact to your customers if that data is compromised? How will you address media inquiry and response?
All these questions need to be addressed, not during a breach, but before one.
In my experience working with prominent cyber-security lawyers, forensic teams and CISOs, several gaps in planning exist at the enterprise level. Which beckons the question: why and what do we do about it? Tabletop exercises for incident management at the enterprise level can assist the organization in identifying delays and process failures that increase both the financial and reputational costs of a breach.
For example, one organization discovered during a live security incident that the forensic team they had engaged with was not an approved vendor under their cyber liability policy. They were forced to negotiate a contract with a new provider, spending weeks in legal negotiations. The organization should be reviewing changes to cyber liability insurance and service providers to ensure resources are immediately available at the time of the breach.
It is wise to conduct an annual consultation with coverage counsel to ensure cyber liability coverages are appropriately sized and structured for success when you need them.
Tabletop exercises at the enterprise level can lead to productive conversations about communication plans, crisis management and identify limitations in policies that could result in increased response times.
Below is a sample tabletop exercise that includes the theoretical incapacitation of one or more critical executives.
- The VP of communications is on medical leave and struggling with a critical medical event. He is unavailable for the coordination of crisis communication plans and is not fit to issue a statement. Who else on the executive team is trained and prepared to address the media? This is a good opportunity to consult a crisis communications team and also review some of the best and worst in crisis communications. Look at not only cyber incidents, but all organizations who have managed a crisis and identify things they did well and things they did not. What tools and resources are available in your organization to ensure that when the “best and worst of 2016” hits the streets, your organization is noted as having handled the crisis well? Better still, how do you not make the list at all?
- The CFO is on a two-week vacation to Africa. What are the necessary contingencies in communication plans and spending authority when those individuals are unavailable? Who has the authority to authorize the necessary expenditures for lawyers, crisis managers, public relations and forensic teams. Ensure there are no enterprise level road blocks to effectively engaging the right resources.
Enterprise incident response readiness is not only an effective way to ensure processes are streamlined and effective, but also good opportunities for chief security officers to educate and guide executives through the complexities of data risk management. If the organization can switch from a technology and metrics conversation to a more enriching conversation about data risk, the result is overall improvement in procedural and technical controls.
In another example, an organization offered impacted customers two years of credit protection services and a call center to address questions and concerns related to identity theft. A very admirable response to a breach of personally identifiable information that could lead to identity theft, however the subject organization was responsible for a breach of credit card data where the data stolen does not result in identity theft. Their offer added millions to the overall cost of the breach and ultimately had very limited customer satisfaction improvement.
In this example, management was not sufficiently educated on the types of data stored, processed or transmitted and the level of risk to their customers if this data was compromised. Discussions with privacy counsel can help organizations determine which data elements are most sensitive and what the courts and public expect organizations to offer to customers for the loss or compromise of that information.
Lastly, blamestorming is an often all-too-real reality for organization managing a crisis; cyber security or otherwise. The urge to blame is based quite often on misunderstandings, irrelevant facts and the fear of being blamed. Focusing on blame inhibits the team’s ability to address and respond to the actual problem. Searching for opportunities to place blame leads to longer response and recovery times and increases legal exposure. Tabletop exercises at the enterprise level often help to diffuse the blame conversation before it begins, focusing more on the attribution of the crisis and the management of the circumstances.
Many organizations find the courts and regulatory bodies asking questions surrounding reasonableness of the controls and the response following a breach. Were reasonable controls in place? Was the breach foreseeable? Did they react in a reasonable timeframe? Did they follow established procedures? The FTC and SEC are getting more and more involved post-breach and are asking very pointed questions around issues such as: incident response plans, playbooks, how often these are tested, showing the results of those tests and how you are addressing gaps, etc. Many of these questions can be addressed with an established information security program, the effective use of third party resources specifically trained in cyber security incident response and operationalizing crisis management at the enterprise level. Tabletop exercises for not only technology teams, but the executive teams are the best ways to ensure your organization is prepared at all levels of the organization for effectively managing a cyber security incident.
Originally published in the Secure360 Blog