“Circumstances don’t make the man, they only reveal him to himself,” as the Greek philosopher Epictetus once said. There may be no better situation this applies to than security — specifically, security incidents and breaches. When the going gets tough (and the dreaded incident or breach occurs), you’ll face your true testing time.

Your team will look to you to find out what happened after a security incident — and they will want to see how their leader handles a trying situation.

Keep Your Cool After a Security Incident

People don’t care about the current state of your security program; they care about the negative situation that has occurred. It’s not unlike politicians or celebrities who get caught in tricky situations: The public doesn’t care about who they are or what they’ve done; they just focus on the crisis and recovery.

No pressure! (Well, there’s actually a lot of pressure, but you can plan ahead to take the edge off of an otherwise negative situation.)

The trouble with adverse security events is that they strike unexpectedly. Sometimes, at what seems to be the worst possible time. These events can strike emotional chords that hit you at your core. This can, in turn, possibly bring out your worst side.

Get Facts, Minimize Impact — and Get Things Done

You must look at security incidents as opportunities that deserve mature and measured responses. It all starts with a robust incident response (IR) plan. Rather than winging it, you need to be able to pull the trigger on your plan of action. This could help you go into autopilot mode as you take the first step to respond, then the second and so on.

But what does this really mean? What is it that you need to do to come across as a true professional? How do you adequately address the situation without losing your cool — and potentially showing your colleagues a side of you that even you didn’t know existed?

It’s easier than you think. It involves getting the facts, minimizing the impact and then doing what needs to be done.

Five Questions to Ask After a Security Incident

Don’t merely take the disaster-accounting approach and immediately start pointing fingers and placing blame on others. Instead, remain calm and treat the security event as any other big business challenge. When you have a security incident, five simple questions could help you adequately respond, clean things up and move on as a bigger and better leader and organization.

  1. What has happened? You were attacked, hacked or otherwise swindled. That’s the easy part to figure out. Go beyond that and determine exactly what went down. It may be tempting to gloss over this step, but all of your follow-up steps will depend on good information here.
  2. How did it happen? This is where it gets tricky. It might be a known weakness, such as a password or SQL injection, or it could be something obscure that requires in-depth analysis. You need to know the details. Bring in your best people — and even outside expertise (i.e., consultants and forensics investigators) — where required. This step builds on the previous, and most of your subsequent efforts will depend on this information.
  3. What was impacted? Perhaps it was an external server or web application — or maybe it was a lost laptop or internal database. Beyond systems, what information was involved? Was it nothing? Intellectual property? Customer information? The reality: A granular level of detail is needed to figure this out. You need to get it right, especially when personal information is involved.
  4. Who was involved? It could be a specific user, department or team — quite likely many people. It’s important to figure this out so you can further piece the puzzle together. Knowing who was involved will also help with your longer-term response efforts and security program tweaks.
  5. What are the next steps? Things may get worse before they get better when you explore what happened after a security incident. Keep track of the timeline. Be prepared for questioning, additional findings and further outages. You’ll likely need to make short-term adjustments to stop the bleeding. You’ll also need to make longer-term improvements once the dust settles. These improvements will probably be in the areas of process and people on the soft side of security, and visibility and control on the technical side.

Information security leaders solve problems. Answering these questions will help ensure you’re on the right track to get valuable information that can help you through the situation. You need to be able to answer these questions quickly and honestly. Don’t go it alone. Ensure that you have a team of people with whom you’ll make decisions to best address the situation.

When an incident or breach occurs, you can’t change what happened. Your energy is better spent on getting your systems and operations back to normal and figuring out ways to improve your security program. This approach will help you keep your cool and minimize the impact on your systems and your business.

Listen to the podcast: Get Smarter About Disaster Response

more from CISO