Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 450 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
No one plans to fail, but many fail to plan
In the information security community, we talk often about incident response plans and the need to conduct regular tabletop exercises. Where we fail is to prepare at the enterprise level.
What happens when your corporate policy prohibits retainer services for technology work, but you need a technical first-response team? What is your enterprise approval policy for high dollar value expenditures? Have you discussed at the enterprise level what data you store, process and transmit and the relative level of impact to your customers if that data is compromised? How will you address media inquiry and response?
All these questions need to be addressed, not during a breach, but before one.
In my experience working with prominent cyber-security lawyers, forensic teams and CISOs, several gaps in planning exist at the enterprise level. Which beckons the question: why and what do we do about it? Tabletop exercises for incident management at the enterprise level can assist the organization in identifying delays and process failures that increase both the financial and reputational costs of a breach.
For example, one organization discovered during a live security incident that the forensic team they had engaged with was not an approved vendor under their cyber liability policy. They were forced to negotiate a contract with a new provider, spending weeks in legal negotiations. The organization should be reviewing changes to cyber liability insurance and service providers to ensure resources are immediately available at the time of the breach.
It is wise to conduct an annual consultation with coverage counsel to ensure cyber liability coverages are appropriately sized and structured for success when you need them.
Tabletop exercises at the enterprise level can lead to productive conversations about communication plans, crisis management and identify limitations in policies that could result in increased response times.
Below is a sample tabletop exercise that includes the theoretical incapacitation of one or more critical executives.
Enterprise incident response readiness is not only an effective way to ensure processes are streamlined and effective, but also good opportunities for chief security officers to educate and guide executives through the complexities of data risk management. If the organization can switch from a technology and metrics conversation to a more enriching conversation about data risk, the result is overall improvement in procedural and technical controls.
In another example, an organization offered impacted customers two years of credit protection services and a call center to address questions and concerns related to identity theft. A very admirable response to a breach of personally identifiable information that could lead to identity theft, however the subject organization was responsible for a breach of credit card data where the data stolen does not result in identity theft. Their offer added millions to the overall cost of the breach and ultimately had very limited customer satisfaction improvement.
In this example, management was not sufficiently educated on the types of data stored, processed or transmitted and the level of risk to their customers if this data was compromised. Discussions with privacy counsel can help organizations determine which data elements are most sensitive and what the courts and public expect organizations to offer to customers for the loss or compromise of that information.
Lastly, blamestorming is an often all-too-real reality for organization managing a crisis; cyber security or otherwise. The urge to blame is based quite often on misunderstandings, irrelevant facts and the fear of being blamed. Focusing on blame inhibits the team’s ability to address and respond to the actual problem. Searching for opportunities to place blame leads to longer response and recovery times and increases legal exposure. Tabletop exercises at the enterprise level often help to diffuse the blame conversation before it begins, focusing more on the attribution of the crisis and the management of the circumstances.
Many organizations find the courts and regulatory bodies asking questions surrounding reasonableness of the controls and the response following a breach. Were reasonable controls in place? Was the breach foreseeable? Did they react in a reasonable timeframe? Did they follow established procedures? The FTC and SEC are getting more and more involved post-breach and are asking very pointed questions around issues such as: incident response plans, playbooks, how often these are tested, showing the results of those tests and how you are addressing gaps, etc. Many of these questions can be addressed with an established information security program, the effective use of third party resources specifically trained in cyber security incident response and operationalizing crisis management at the enterprise level. Tabletop exercises for not only technology teams, but the executive teams are the best ways to ensure your organization is prepared at all levels of the organization for effectively managing a cyber security incident.
Originally published in the Secure360 Blog
September 28, 2016
Learn how Optiv's Executive Security Awareness program can find and address security vulnerabilities for your company's executives.
Let us know what you need, and we will have an Optiv professional contact you shortly.