Survival Of The Fittest: Is Incident Response

Author: Aaron Pritz– CEO, Principal Consultant, Co-Founder at Reveal Risk

How many of your cyber security programs have a simple, well rehearsed incident response plan? It is likely that many companies have something resembling an IR (Incident Response) plan. It may even have that title if you can remember where it was stored. However, it is unfortunate that many leaders don’t realize the significance of the expectation for having your entire company ready for when (not if) the next major incident or breach affects your organization.

The majority of CISO dismissals/terminations occur not because a breach happened, but how it was handled in the aftermath. If readiness is so important, why is there not more energy and time spent on it?

Here are some diagnostic questions in the fun of a fun (or maybe not so fun) to evaluate whether you are fit to survive:

The 5 Essential Basics

  1. Do you have something called Incident Response Plan? (Yes: Proceed with 5 points, No: see final question)
  2. Do you know where it is stored? (Yes: Proceed with 5 points, No: Fail – see final question)
  3. Are you able to read and understand it in less than 5 minutes? (Yes: Proceed with 5 points, No: Fail – see final question)
  4. Do you have roles and responsibilities defined with those individuals aware they play those roles?  (Yes: Proceed with 5 points, No: Fail – see final question)
  5. Have you practiced, table-topped, or simulated real scenarios to give the team experience? (Yes: Proceed with 5 points, No: Fail – see final question)

Level 2 – Imperative Investments

  1. Have you connected your rehearsals to your risk management program for relevance and prioritization? Do you know your top risks and threat scenarios and have you practiced those? Do you know what parts of your business would be most impacted if they are compromised? Read my piece on the “3am Call” if you don’t know. (Yes – this is well covered – add 15 points, No: 0 Points)
  2. Have you engaged partners and stakeholders outside of the IS department (privacy, legal, HR, physical security, etc) in both the plan, roles and responsibilities (R&R), and as participants in the actual simulations? There will be drama and turf wars without a doubt when it comes to R&R. It is much better to iron out those wrinkles during peace time vs war time.  (Yes – this is well covered – add 15 points, No: 0 Points)
  3. Have you created awareness with broad corporate stakeholders and determined interfaces with other emergency/incident response plans your company may have? There is nothing worse than 3 swat teams all thinking they are in command during a crisis, but I have seen it happen. (Yes – this is well covered – add 15 points, No: 0 Points)
  4. Have you started to blend SOC (security operations center) drills such as red teaming as an integrated part of your IRP simulations? The more real you can make the simulations, the more expansive you can be on pulling people into the practice. (Yes – this is well covered – add 15 points, No: 0 Points)
  5. Do you have an offline or non-company network portal or way to access relevant materials during a breach where your corporate network is down? This happened several times in big breaches in 2017. It is important to really think through how your incident coordinator and team will do the job if everyone is at home on a holiday weekend, Active Directory gets knocked offline, and everything that you need requires SSO/AD to access. (Yes – this is well covered – add 15 points, No: 0 Points)

Final Question: Are you ready to lose your job or reputation in this field by mucking up what could have been a well coordinated and effective response during a material incident? (If Yes: reduce score to 0 points)

Scoring

  • 0 Points: Start writing your resume. This gig is not for you.
  • 5-25 Points: There is hope, but you still don’t have a passing grade. Take it to the next level!
  • 25-60 Points: You are a David Letterman style “C student” with potential.
  • 60-100: You still have work to do but you, but you are trending to be an A student!

How did you do? Does this need have an appropriate place on your radar with funding and time commitment to get it right? It is kind of like insurance: if you are shopping for a good plan after the accident, you are out of luck!

For those that got a good score: what elements am I missing from the test? What have you done that has been effective that others could learn from?

Feel free to COMMENT, REPOST, or LIKE to keep these free articles coming.  If your security program needs help translating strategy into action and being more business risk/threat focused, you can request more information at info@revealrisk.com. More information can be found on www.revealrisk.com