How to flip a cybersecurity event into building more resources, tech talent

Security experts share insights about crafting lessons learned plans to obtain more resources — and one critical mistake to avoid.
By Tom Sullivan
01:54 PM
Share
man working on server stacks

Security teams will never have upper management’s attention as powerfully as they do in the wake of a data breach. But they have to act quickly.

Wait three months and the breach is over: It’s been reported, top executives have moved on, and the opportunity to get needed resources will be lost.

“Never let a good crisis go to waste,” said Dan Costantino, CISO at Penn Medicine. “There’s a small amount of time when you have the opportunity to use the security event to make a change.”

Whether that means advancing your security strategy with a bigger budget, hiring more talent or deploying new technologies, the hours, days and weeks after an incident are a teaching moment, added Theresa Payton, CEO of security firm Fortalice Solutions and former White House CIO.

Both Costantino and Payton will be speaking at at the upcoming HIMSS Healthcare Security Forum in Boston, scheduled for Oct. 15-16, 2018.

Ahead of the event, Payton and Costantino shared advice on how to use that time wisely and what factors should be included in a lessons learned plan that will be ultimately shared with top executives and relevant employees as appropriate.

Make it about strategy, operations and resiliency

Payton advised infosec teams to tie the incident back to the strategic roadmap, explaining how allocating more resources to security for behavioral, process or technology changes would have enabled the team to more efficiently and quickly recover from the incident.

“Talk about operational resiliency. Time is money, so for every minute you’re down or limping along operationally because you’re responding to a security incident, that lost productivity, that reputation risk, is money,” Payton said.

“So if you can make the business case to improve operational resiliency, then you’re going to have their attention,” she added.

Costantino said security teams need to make that case in the days immediately after reporting the incident. So, if it’s a breach, on the 61 or 62 day.

“A lot of people say ‘we’ll do lessons learned 3 months down the road,’ but if you don’t do it right away the business will move on,” Costantino added.

Now that the importance of gathering intelligence and information about the incident is understood, as is the urgency of doing so, CISOs, CIOs and their teams should know what goes into a lessons learned outline before another event occurs.

Building an infosec lessons learned plan

While every incident or breach is somewhat unique, Costantino said there are core tenets that security teams should use to build a plan for lessons learned.

1. How did it happen? It’s important to know if it was result of human error or malicious -- whether it was a lack of security controls, an insider threat, or something else entirely.

2. What could we have done better, and what can we do in the future to prevent it? Simply encrypting your devices is easier said than done, Costantino said, and it requires answering critical questions. How long does it take? Will you corrupt other data? Can you do it remotely?

3. Were all the right people at the table during the process? This involves making sure that the response team has all the right representatives so nothing gets missed and no department is left out or not properly notified.

4. What was our response time? Security teams determine how long it took to identify the problem and understand it. From there, they’ll need to assess if they should have detected and responded sooner — and what tech or talent they need to make sure they’re better prepared for the next event.

5. Are we contracted with the right external counsel? Naturally, this can include legal, business and security expertise points of view that help executives develop a comprehensive lessons learned plan.

Other tech considerations

Payton advised security professionals to also assess whether or not they have appropriate kill switches or shields in place to isolate security incidents as they occur.

If an IT professional is reporting an anomaly in customer service, for instance, hospitals need to be able to essentially cut that department off from the rest of the organization to stop the threat from spreading.

“Often times it’s during a security event where everything gets locked up or during a data breach discovery that you realize you don’t have those pieces in place,” Payton said. “What do you have built into your architecture to track and contain the contagion so it doesn’t impact the entire full-scale operation?”

What’s next?

With those questions answered, logical subsequent steps will determine with whom to share the lessons learned and how to proceed in keeping upper management informed.

Those will depend on the nature of the incident.

“If it’s an insider threat or malicious employee, the follow-up is more to the privacy and security teams and executive management,” Costantino explained. “If we have someone walk out with a laptop then you better believe part of the lessons learned will be broad employee outreach about why not to do that.”

Payton added that part of the lessons learned should also be instituting more frequent updates to the board and executive management.

“You want to make sure you’re updating the C-suite on a regular basis and you’re not just bringing it up when the sky is falling all around,” Payton said. “You want to make sure to have an up-tempo in meeting with them.”

Beyond sharing the lessons learned internally, Costantino urged hospitals to share with other healthcare providers — something infosec experts widely agree is not happening nearly enough today.

“It’s not necessarily a time when health systems want to share that information with each other but the industry and the community need to get better at sharing their experience,” Costantino said. “There a lot of people who would want to learn.” 

Pro tip: A mistake to avoid

Speaking of sharing intelligence, Payton offered some advice about one approach not to take.

“I would shy away from saying to the C-suite that a bigger budget or more resources would have prevented the security incident from happening,” Payton said. “You don’t want to lead the board on by suggesting that when you write a check, bad things stop happening.”

Focus on Cybersecurity

In October, we take a deep dive into security strategy and pressing threats.

Twitter: SullyHIT
Email the writer: tom.sullivan@himssmedia.com