No matter how strong your cyber defenses are, prudence requires that you prepare for every eventuality. Secureworks® senior consultant Kevin Walsh recently blogged about preparation for incident response — but we thought you might also want to hear what other experts have to say about the matter. We asked Shira Rubinoff, Chief Cybersecurity Officer at Techstrong Group, Berkeley Varitronics CEO Scott Schober, and digital healthcare consultant David Chou to weigh in on the topic.
Q1: How do you define incident response?
A1: (Chou) Incident response is a structured process organizations use to identify and deal with cybersecurity incidents. According to the NIST framework, the four core components of incident response are:
- Preparation by means of a proactive incident response plan that includes designating an incident response team, developing incident handling procedures, and establishing a communication plan.
- Detection and analysis using appropriate tools and techniques to identify and investigate incidents when they occur.
- Containment, eradication, and recovery to limit incident impact, eliminate its underlying cause, and restore the organization's operations to their normal, pre-incident state.
Q2: Why should cybersecurity leaders devote time, effort, and budget to incident response preparation?
A2: (Rubinoff) Solid response prep is essential for rapidly and confidently restoring your affected systems, minimizing lost revenue, avoiding high regulatory fines, and otherwise mitigating the numerous other adverse financial impacts of an attack.
Unfortunately, organizations do not give enough attention to and/or allocate sufficient resources for incident response. CISOs are struggling with security budgets that are too small, which inevitably leads to difficult decisions when it comes to allocating dollars in a way that's truly aligned with the needs of the organization. But it's a mistake to under-invest in incident response — because there are significant downsides to remaining reactive when you should be much more proactive in limiting attack impacts.
Q3: Where do you see the biggest shortfall/deficit in organizations' incident response capabilities?
A3: (Schober) Too many C-level executives have a mindset that keeping a security incident quiet will somehow minimize the damage to their company — even though the exact opposite is true. To minimize the total fallout from an incident, you're actually better off communicating transparently and intelligently with your employees, customers, shareholders, and relevant government agencies. Time and again, we've seen organizations make matters worse for themselves and their stakeholders through overconfidence, denial, and a failure to allocate the resources required for truly robust and effective incident response.
But most organizations ultimately suffer shortfalls in their incident response capabilities as a result of inadequate planning. As the old saying goes, “Failing to plan is planning to fail.” And even organizations that devise a reasonably comprehensive plan at some point wind up with problems as a result of their failure to regularly update and test that plan to keep it current with their ever-evolving infrastructure and systems.
The shame of it is that industry standards such as the NIST Cybersecurity Framework and ISO 27035 provide plenty of good best practices guidance for crafting effective incident response — so it's not as if we're asking organizations to reinvent the wheel.
If you are looking for ways to improve your incident response preparation, check out our latest blog on tabletop exercises and learn how these measures can uncover and identify opportunities to improve your cyber defense program.