Preparedness and planning are key to managing incidents, recovery and resilience. How well organisations address these key topics was investigated by a real-time survey of over 120 senior executives conducted by (ISC)2 at the R3 conference in London.
Over 50 percent of attendees believed their organisations were capable of quick and decisive action if an incident was detected, yet only 27 percent had an incident management plan. Common reasons why organisations didn’t need such plans included: not storing, processing or creating data that could be stolen; not believing they would be ever be hacked/breached; or that the organisation was just too small. Clearly not all have recognised that every organisation now possesses information that is of interest to someone. It is a case of when, not if, an organisation will be hacked.
Preparedness includes activities such as creating and maintaining plans, learning from experience, widening knowledge and rehearsing possible scenarios. Yet, despite believing their organisations could take decisive action, only a quarter of attendees had rehearsed their incident management plans. Drawing parallels to airline experience, we depend on the fact that pilots are trained to deal with incidents and emergencies, and practice their responses regularly.
Some pilots go further: Chesley Sullenberger, who successfully ditched US Air 1549 in the Hudson River, was an air crash investigator and read widely about air safety and crashes. He drew on a bank of experience, education and training when faced with an emergency. Whilst an information security incident may not be as dramatic, it can have the potential to ruin businesses and careers. Rehearsing such plans is an easy win and a valuable learning experience.
On the positive side, many of those who did have incident management plans included communications, triage and remediation components, thus enabling organisations to maintain the continuity of their business (a key focus as revealed by the survey) and communicate with internal and external stakeholders. The majority also classified incidents by cost, the number of people affected, the time of year and the type of data.
Security incidents and breaches are a part of doing businesses today. While much progress has been made in the recognition for security controls, this is not enough. We must expect and prepare for failure of these controls. Create (or update) your incident management plan; rehearse it; compare it with those published on the Internet. Learn and read from other incidents and keep asking yourself: Can I recover? Good incident management keeps the lights on and business processes running; and it can reduce the damage from a customer confidence, reputational or brand perspective.
Dr. Adrian Davis, CISSP, Managing Director for (ISC)2 EMEA