Every information security incident is the start of a race, the race to determine the risks and compliance requirements surrounding the incident before potential victims are harmed and compliance deadlines are missed. Yet, as we discussed in last month's article, "When a cyber attack hits: Who's in charge?," information security, compliance, privacy and other functions are not operating as a team to win this race.
As cyber-security threats escalate, savvy organizations are taking a hard look at their incident-response processes and seeking ways to move to a more collaborative, integrated approach to incident management.
In many organizations today, incident response is run like a relay race, typically starting with information security and with each response function handing off to the next in sequence. With each leg, the clock is ticking, and at each handoff, vital information may be lost.
However, this sequential approach has several risks and shortfalls. Critical handoffs may not happen at all or critical information may be lost because the information security team is not expert in compliance requirements, the compliance team is not expert in forensics or preserving a chain of evidence, etc. A sequential response is also inherently slower, and because the compliance team isn't typically involved from the start, there is the chance that important reporting or notification deadlines could be missed.
Moving to an agile model
Instead of a relay race, cross-functional teams need a more agile way to react to the multiple threats of cyber-theft, compliance, litigation, and loss of business. Here are some steps your organization can take to move towards a more agile incident response process:
- Identify a first-response team, with representatives from information security, compliance, privacy, legal, and any other disciplines appropriate to the risks of your business.
- Create a process where the whole team is notified as soon as there is a potential incident so that each functional area can determine what actions to take. Ideally, have the team meet regularly and review all security events. This will prevent potential incidents from being overlooked, and the team members will build awareness of the needs of other functional areas.
- Provide tools and processes to ensure that Information is shared and documented as a built-in part of the response process.
- Conduct regular reviews with the whole team to report progress, review business priorities, and assess next steps.
This kind of integrated approach not only enables accurate assessment of the incident from all standpoints, it also positions each functional team to provide effective response and risk management if the incident is determined to be a breach.
The race goes to the swift
As cyber-attacks increase and cause more pain to victims and the organization, there will be more concern on the part of boards, more will to address the problem, and even more accountability for the executives in charge of privacy and security. The real question is how those functions can organize themselves how to respond effectively to the increasing volume and complexity of security incidents. The critical question is not who's in charge, but how effectively the multi-functional team can work together to evaluate the situation, come up with a strategy, and mount a defense. Until that happens, the contest will be lost and the criminals will continue to be in charge.
Rick Kam is president and co-founder of ID Experts.