[BreachExchange] Data Breach Digest: Going for the gold in data breach incident response

[Audrey McNeil]

http://www.securityinfowatch.com/article/12252878/data-
breach-digest-going-for-the-gold-in-data-breach-incident-response

As I watched the Summer Olympics over the last month, I was inspired by the
hard work, preparation and dedication of the amazing athletes from around
the world all looking to achieve the highest prize in sports – the gold
medal. From the impressive performance of the United States women’s
gymnastics team to the men’s basketball team’s continued dominance, there
were no shortage of great performances at this year’s Games.

Watching the Games got me thinking about what security incident response
teams can learn from these athletes and teams. Several of the key qualities
of Olympians are very similar to what those on a strong data breach
response team should have. While we can’t all be elite athletes, we can
strive to be elite incident responders, capable of mitigating the major
reputational and financial impacts that a mega breach can have on an
organization.

The following are key attributes of successful Olympic athletes that I
think every response team can learn from and apply to their efforts.

Have a Game Plan and Perfect Your Craft

Competing at the Olympics is the culmination of a lot of preparation and
practice. From extensive training regiments to developing the perfect back
handspring and devising the right strategies on the court to beat the best
teams in the world, athletes must prepare and train to succeed.

It’s similarly important for data breach response teams to have a
well-documented strategy for managing the variety of data breach and
security incidents they may face. Having a strong incident response plan in
place and team that understands how to execute plans for a variety of
breach situations is key to the response process. This means not only
creating but also regularly reviewing and updating response plans to
account for the latest threats as your opponents (hackers in this case)
continue to change their tactics.

Equally as important is thinking about effective incident response as a
craft that requires regular testing and readiness. This means regularly
practicing incident response plans under as realistic circumstances as
possible. Truly pressure testing the team will help ensure that when the
big issue comes, the team will be able to effectively execute plans.

For those looking to jumpstart their planning, Experian offers and
regularly updates a free incident response guide to help.

Work With the Best Coach and Trainers

While the athletes are the ones who get the spotlight, many credit their
success to the coaches and trainers they work with daily. The best Olympic
teams are made better by having strong leaders to help them navigate this
very high-stakes moment. Often these coaches were once Olympic medalists
themselves and are able to instill their experience to help the team
perform at its best.

Likewise, having the right team of outside experts supporting internal
incident response teams is key to successfully managing an incident. This
includes what is often known as a “breach coach” from an outside law firm
who can help direct the investigation into the incident and ensure that the
team is taking all the right steps to address the many activities that need
to go in to successfully managing an incident. When combined with strong
communications, forensics and data breach resolution experts, companies
will be able to effectively manage even the most challenging incidents.

Similar to the relationship between a coach and team, chemistry is
important in incident response. It’s essential that companies identify and
meet with their outside team ahead of an incident to ensure smooth
collaboration.

Teamwork is Key

Each person on an Olympic team brings his or her own unique strengths to
the table. The U.S. basketball team wouldn’t win with five forwards on the
court, even if they were the very best in the world. In incident response,
the sum needs to be more than the parts and the ability to leverage the
strengths of each team member during an incident is vital for overall
success. Along with identifying the core response team, recruiting other
“utility players” who can help a response go well is also important. For
example, having a strong program manager in place to help the incident
response leader track progress is an important role that is often not
incorporated into incident response plans but can take a starring role
during an incident.

Equally as important is communicating across the various responsibilities
of incident response functions. Key to this process is the forensics team
regularly sharing updates on what is known and unknown throughout the
technical investigation into the incident. This information is vital to
making key decisions about when to disclose and what information to share
publically. Establishing a regular cadence of meetings during an incident
and encouraging open lines of communications between functions is key to
success.

Poise Under Pressure

Similar to a make or break Olympic moment, a data breach is a high-stress
activity that requires poise under extreme pressure to make the right
decisions and execute. Having a plan and strong team are important building
blocks to an effective response, but they will fall apart if the response
team doesn’t stay calm under the pressure that tends to come from all sides
during a multi-million record security incident. Be it regulators asking
tough questions about security practices, media demanding more information
than the company is willing to disclose, or customers outraged that their
information was lost, there are no shortage of pressures that can distract
a team. It’s important that all of the issues that come up during a major
incident are carefully and methodically addressed by the team and not
reacted to in a knee-jerk fashion.

A related attribute that is important is the need for the team to remain
agile and able to adjust tactics based on what’s happening with an
incident. What’s known about a security incident in the first 48 hours is
much different than in the first two weeks. An issue that appears to be
small or contained can often balloon into a mega-breach upon further
inspection, which requires a change in tactics. The opposite is also true,
and again, will require the team to change plans quickly.

While security teams may never receive the glory that Olympic athletes
receive, there is no doubt that following many of the same principles will
lead to a gold medal performance during an incident that can save a
company’s reputation and position in the market.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160902/0f11fb4e/attachment.html>