Light Dark
June 1, 2018 By Kevin Beaver 3 min read
CISO
Incident Response

“Circumstances don’t make the man, they only reveal him to himself,” as the Greek philosopher Epictetus once said. There may be no better situation this applies to than security — specifically, security incidents and breaches. When the going gets tough (and the dreaded incident or breach occurs), you’ll face your true testing time.

Your team will look to you to find out what happened after a security incident — and they will want to see how their leader handles a trying situation.

Keep Your Cool After a Security Incident

People don’t care about the current state of your security program; they care about the negative situation that has occurred. It’s not unlike politicians or celebrities who get caught in tricky situations: The public doesn’t care about who they are or what they’ve done; they just focus on the crisis and recovery.

No pressure! (Well, there’s actually a lot of pressure, but you can plan ahead to take the edge off of an otherwise negative situation.)

The trouble with adverse security events is that they strike unexpectedly. Sometimes, at what seems to be the worst possible time. These events can strike emotional chords that hit you at your core. This can, in turn, possibly bring out your worst side.

Get Facts, Minimize Impact — and Get Things Done

You must look at security incidents as opportunities that deserve mature and measured responses. It all starts with a robust incident response (IR) plan. Rather than winging it, you need to be able to pull the trigger on your plan of action. This could help you go into autopilot mode as you take the first step to respond, then the second and so on.

But what does this really mean? What is it that you need to do to come across as a true professional? How do you adequately address the situation without losing your cool — and potentially showing your colleagues a side of you that even you didn’t know existed?

It’s easier than you think. It involves getting the facts, minimizing the impact and then doing what needs to be done.

Five Questions to Ask After a Security Incident

Don’t merely take the disaster-accounting approach and immediately start pointing fingers and placing blame on others. Instead, remain calm and treat the security event as any other big business challenge. When you have a security incident, five simple questions could help you adequately respond, clean things up and move on as a bigger and better leader and organization.

  1. What has happened? You were attacked, hacked or otherwise swindled. That’s the easy part to figure out. Go beyond that and determine exactly what went down. It may be tempting to gloss over this step, but all of your follow-up steps will depend on good information here.
  2. How did it happen? This is where it gets tricky. It might be a known weakness, such as a password or SQL injection, or it could be something obscure that requires in-depth analysis. You need to know the details. Bring in your best people — and even outside expertise (i.e., consultants and forensics investigators) — where required. This step builds on the previous, and most of your subsequent efforts will depend on this information.
  3. What was impacted? Perhaps it was an external server or web application — or maybe it was a lost laptop or internal database. Beyond systems, what information was involved? Was it nothing? Intellectual property? Customer information? The reality: A granular level of detail is needed to figure this out. You need to get it right, especially when personal information is involved.
  4. Who was involved? It could be a specific user, department or team — quite likely many people. It’s important to figure this out so you can further piece the puzzle together. Knowing who was involved will also help with your longer-term response efforts and security program tweaks.
  5. What are the next steps? Things may get worse before they get better when you explore what happened after a security incident. Keep track of the timeline. Be prepared for questioning, additional findings and further outages. You’ll likely need to make short-term adjustments to stop the bleeding. You’ll also need to make longer-term improvements once the dust settles. These improvements will probably be in the areas of process and people on the soft side of security, and visibility and control on the technical side.

Information security leaders solve problems. Answering these questions will help ensure you’re on the right track to get valuable information that can help you through the situation. You need to be able to answer these questions quickly and honestly. Don’t go it alone. Ensure that you have a team of people with whom you’ll make decisions to best address the situation.

When an incident or breach occurs, you can’t change what happened. Your energy is better spent on getting your systems and operations back to normal and figuring out ways to improve your security program. This approach will help you keep your cool and minimize the impact on your systems and your business.

Listen to the podcast: Get Smarter About Disaster Response

 | 
Kevin Beaver
Independent Information Security Consultant

More from CISO
April 9, 2024

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

April 2, 2024

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

February 21, 2024

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature