Why do we need an Incident Management Strategy and a Response Plan?
The answer lies in Murphy’s Law which states that “Anything that can go wrong will go wrong“. In real world, things do go wrong, it’s just a matter of time, when? But when things go wrong, we do need to respond effectively and that’s when having a well-defined plan comes to our rescue.
Today we are facing issues like Internal Threat, Hacktivism, Cybercriminals and State sponsored espionage & it feels like probability of something going wrong is more than ever before.
In my first leadership role, I was given the responsibility of running a Security Operation team. One key responsibility that came along with that role was acting as Security Incident Response Leader for the region.
At that time organisation already had a well-defined Security Incident Management Framework, not different from many Incident Management frameworks that exist across our industry. I never questioned the framework and processes that time and adapted it to manage security incidents.
I am sure just like that organisation; every big multi-national organisation has a very well defined and well-rehearsed security incident management plan to respond when it happens. For more than a decade, I have had opportunity to either participate or lead response to variety of security incidents. It’s very difficult to analyse your incident response when it happens as you are very busy managing the situation.
However, once it’s over, that’s the time to go over the timelines and steps taken to respond to an incident. I have followed this practice and I must admit that it has given me useful insights. I have seen not many organisations spend time in conducting review of effectiveness of their plan and response post incident. That’s a missed opportunity.
The problem of most Security Incident Management Strategies can be summed up by this quote from Mike Tyson – “Everybody has a plan until they get punched in the face”
Similarly, most companies believe they have a good security incident management strategy and a plan until they need to respond to an incident. Traditional approaches don’t work because –
- It is assumed that everyone understands their Role and Responsibility and has ability to perform it effectively. Most of organisations have this well documented but it lacks awareness and common understanding of the same. Do executive team, non-executive board members and other key individuals in the organisation know their role and responsibility when this happens within their organisation?
- Most of organisations have well defined Business Continuity and Disaster Recovery Plans which are well rehearsed and tested. Plans are updated regularly and assessed for effectiveness. However, it’s not true for Security Incident Management Plan. Plans do exists but organisations do not rehearse their plan with active participations from all actors involved
- Security Incident Management is still considered as a Technical Job. However you need completely different set of expertise to handle security incidents. It is not an outage issue or service level issue. In some cases, it’s more like a criminal investigation done by agencies like CSI where scene has to be approached with caution, situation needs to be handled diligently and evidences need to be contained in a right manner.
- Another issue around security incident management is “Handling and Managing Communication”. With the evolution of Internet and Social Media Platforms, news spread rapidly and can easily go viral very quickly. LinkedIn Breach is a very good example. LinkedIn took almost 2 days to acknowledge and respond to password breach incidents. By that time thousands of blog posts were created, millions of tweets were floating around this issue. Users were anxious to know if their passwords have been breached. Everyone started changing their passwords etc. The cumulative effect of this was negative backlash for LinkedIn. An important thing people often forget is that once it’s in media it’s out there for others to use and abuse this information. It’s better not to hit the headlines for such reasons in first place. If you do hit the headlines, it’s important to manage the message that needs to be conveyed.
- It’s a lot about Perception Management when that time comes.
Now, coming back to the quote by Mike Tyson again – “Everybody has a plan until they get punched in the face”
It’s better to plan for that punch and simulate that punch so that you know that you are not only ready to take that impact when it happens to you, but also ready to bounce back on your feet. It’s a team work and it’s not a TECHNICAL PROBLEM to be managed by IT. Security Incidents have to be managed collectively by a team involving various functions within an organisation and everyone playing that part effectively.
Last year, I gave a talk on the similar topic “Security Incident Management – How good is your strategy” at CxO Dialogue Information Security & Risk Management 7. Refer to my Slideshare Website for the presentation pack on this topic.