17/03/2015

By John Bruce, CEO & Co-Founder, Resilient Systems


Security incidents happen – but they’re survivable. And they’d better be – we’re going to be facing more of them, and they’ll be increasingly sophisticated and concerning.

But the good news is that companies can thrive in the face of cyberattacks, if they’re prepared to respond well. It’s the same in the physical world – it’s called resilience. Organisations and communities have adapted to adverse conditions – be it natural disasters, theft, or accidents – since the year dot. Cyber threats are no different. They’re just newer, stealthier, and more urgent.

The security industry has already come a long way. We went from the decade of prevention into the decade of detection, and now we’re in the decade of response. Businesses are learning to avoid backlash from customers and regulators by protecting valuable information and responding swiftly and effectively when it gets into harms’ way. By taking control of the situation, security professionals can limit – or completely avoid – the damage to their company and its public perception.

Last calendar year provided plenty of examples of how a business’s response to an incident can make all the difference – and it was particularly true with the Target breach. Questions were raised in its aftermath on how the company acted. Eventually, the CEO was forced to step down. This shows that incident response is not only integral for the IT department to control, it is an issue for the whole company, all the way up to C-level. Given the damage that can ensue from mishandling an incident, it seems absolutely appropriate.

It’s not a crime for a company to have a breach or experience security incidents – but it’s a problem if they don’t respond effectively when it happens. If you fast forward for a while, you can expect regulators and auditors to step in. Just as they’re increasingly insistent that companies adhere to modest standards for security and customer cyber safety, you can anticipate them introducing similar guidance for a company’s ability to respond quickly and effectively. We already have some rudimentary regulations in various geographies and industries that describe a company’s obligations to notify those affected when they suffer a breach. But as the saying goes, ‘you ain’t seen nothing yet.’

As incidents continue to increase in frequency and complexity, it’s no longer enough for businesses to monitor firewalls and install intrusion prevention or detection tools. While the modest cyber criminals will be off-put by these measures, determined attackers will always break in.

The key: Align all three areas – prevention, detection and response – and become cyber resilient.

For the last couple of decades, the attention has been on prevention and detection. Today, the focus should be on improved response – reacting faster, coordinating better, and responding smarter – and learning to manage security incidents as a normal part of business. Just as businesses do in all other disruptive events, such as fire, flood, or flu season.

Improving Incident Response, Today

How can businesses more effectively respond as cyber risks continue to evolve? The key is aligning people, processes, and technology – so that the entire organisation is primed and ready to react when an incident occurs.

It starts with preparation – scrutinising policies, processes and operational readiness. You need a well-thought-out, documented, decision-making matrix to efficiently respond and navigate through the consequences of an event.

Comprehensive response should include:

• escalation processes and procedures
• coordination with employees, customers, and vendors
• involvement of all business units
• attention from legal and human resources
• advisories for the CISO, board members, and others
• real, well-understood policies
• organisational training, such as table-top exercises
• a media and communications plan

That’s a complex set of activities to instigate, manage, and monitor – and the efficiency with which response plans are executed is absolutely critical. Incidents can quickly escalate to the point where they overwhelm available resources – especially with security teams struggling to hire skilled employees. That’s why provisioning and preparation – before an incident occurs – is key to a successful response.

Incident Response in Action

To illustrate the impact of an effective IR function, look at USA Funds. Over 53 years, the nonprofit public sector organisation has supported a total of $247 billion in financial aid for higher education and served approximately 22.4 million students and parents and thousands of educational and financial institutions.

As you’d expect, the organisation manages an enormous amount of confidential and personally identifiable information (PII) for its customers, employees, and governing board.

Although USA Funds had its own basic infrastructure to prepare for any contingency, the organisation augmented its security initiatives with a more comprehensive and agile incident response strategy. The goal, which many companies will identify with, was to replace the manual and time-consuming incident planning and tracking process which involved heavy use of Microsoft Word checklists and Excel spreadsheets.

The team implemented multi-faceted incident tracking and real-time coordinated response solutions. As a result, USA Funds today manages incidents in one-tenth of the time that it took previously – and more effectively, too.
It’s becoming increasingly evident that effectively managing security incidents requires a specialist tool, as it does with every other critical area of a business. It’s inconceivable that businesses would try to run their sales, manufacturing, legal, or financial areas without a dedicated application for doing it. Security is no different.

But the technology is just one part of the puzzle – by improving and aligning technology, people, and processes, companies can become resilient to today’s cyber threats.