June 1, 2018 By Kevin Beaver 3 min read

“Circumstances don’t make the man, they only reveal him to himself,” as the Greek philosopher Epictetus once said. There may be no better situation this applies to than security — specifically, security incidents and breaches. When the going gets tough (and the dreaded incident or breach occurs), you’ll face your true testing time.

Your team will look to you to find out what happened after a security incident — and they will want to see how their leader handles a trying situation.

Keep Your Cool After a Security Incident

People don’t care about the current state of your security program; they care about the negative situation that has occurred. It’s not unlike politicians or celebrities who get caught in tricky situations: The public doesn’t care about who they are or what they’ve done; they just focus on the crisis and recovery.

No pressure! (Well, there’s actually a lot of pressure, but you can plan ahead to take the edge off of an otherwise negative situation.)

The trouble with adverse security events is that they strike unexpectedly. Sometimes, at what seems to be the worst possible time. These events can strike emotional chords that hit you at your core. This can, in turn, possibly bring out your worst side.

Get Facts, Minimize Impact — and Get Things Done

You must look at security incidents as opportunities that deserve mature and measured responses. It all starts with a robust incident response (IR) plan. Rather than winging it, you need to be able to pull the trigger on your plan of action. This could help you go into autopilot mode as you take the first step to respond, then the second and so on.

But what does this really mean? What is it that you need to do to come across as a true professional? How do you adequately address the situation without losing your cool — and potentially showing your colleagues a side of you that even you didn’t know existed?

It’s easier than you think. It involves getting the facts, minimizing the impact and then doing what needs to be done.

Five Questions to Ask After a Security Incident

Don’t merely take the disaster-accounting approach and immediately start pointing fingers and placing blame on others. Instead, remain calm and treat the security event as any other big business challenge. When you have a security incident, five simple questions could help you adequately respond, clean things up and move on as a bigger and better leader and organization.

  1. What has happened? You were attacked, hacked or otherwise swindled. That’s the easy part to figure out. Go beyond that and determine exactly what went down. It may be tempting to gloss over this step, but all of your follow-up steps will depend on good information here.
  2. How did it happen? This is where it gets tricky. It might be a known weakness, such as a password or SQL injection, or it could be something obscure that requires in-depth analysis. You need to know the details. Bring in your best people — and even outside expertise (i.e., consultants and forensics investigators) — where required. This step builds on the previous, and most of your subsequent efforts will depend on this information.
  3. What was impacted? Perhaps it was an external server or web application — or maybe it was a lost laptop or internal database. Beyond systems, what information was involved? Was it nothing? Intellectual property? Customer information? The reality: A granular level of detail is needed to figure this out. You need to get it right, especially when personal information is involved.
  4. Who was involved? It could be a specific user, department or team — quite likely many people. It’s important to figure this out so you can further piece the puzzle together. Knowing who was involved will also help with your longer-term response efforts and security program tweaks.
  5. What are the next steps? Things may get worse before they get better when you explore what happened after a security incident. Keep track of the timeline. Be prepared for questioning, additional findings and further outages. You’ll likely need to make short-term adjustments to stop the bleeding. You’ll also need to make longer-term improvements once the dust settles. These improvements will probably be in the areas of process and people on the soft side of security, and visibility and control on the technical side.

Information security leaders solve problems. Answering these questions will help ensure you’re on the right track to get valuable information that can help you through the situation. You need to be able to answer these questions quickly and honestly. Don’t go it alone. Ensure that you have a team of people with whom you’ll make decisions to best address the situation.

When an incident or breach occurs, you can’t change what happened. Your energy is better spent on getting your systems and operations back to normal and figuring out ways to improve your security program. This approach will help you keep your cool and minimize the impact on your systems and your business.

Listen to the podcast: Get Smarter About Disaster Response

More from CISO

Making smart cybersecurity spending decisions in 2025

4 min read - December is a month of numbers, from holiday countdowns to RSVPs for parties. But for business leaders, the most important numbers this month are the budget numbers for 2025. With cybersecurity a top focus for many businesses in 2025, it is likely to be a top-line item on many budgets heading into the New Year.Gartner expects that cybersecurity spending is expected to increase 15% in 2025, from $183.9 billion to $212 billion. Security services lead the way for the segment…

On holiday: Most important policies for reduced staff

4 min read - On Christmas Eve, 2023, the Ohio State Lottery had to shut down some of its systems because of a cyberattack. Around the same time, the Dark Web had a “Leaksmas” event, where cyber criminals shared stolen information for free as a holiday gift. In fact, the month of December 2023 saw more than 2 billion records breached and 1,351 disclosed security incidents, according to research from IT Governance — an increase of 332% and 187%, respectively, over the month of…

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today