By David Mahon, Chief Information Security Officer, Deloitte Global
For many years, Chief Information Security Officers (CISOs) were measured against an impossible objective: 100% breach prevention. Thankfully, many today understand there is no such thing as 100% protection against breaches. This has changed how CISO effectiveness is gauged: from breach prevention to incident response and resilience.
This change is welcome, because incident response and resilience are largely under the control of the CISO. The SolarWinds breach is a recent example—a software company’s compromise became the source of widespread breaches across its customer base, even in organizations with incredibly strong security controls and processes. This breach was beyond the control of CISOs and organizations world-wide, becoming a key opportunity to respond effectively.
Planning for Effective Incident Response
In a world where no organization is 100% protected from security compromise, creating an effective incident response (IR) plan is perhaps the most important job of the CISO. And while no two enterprises are alike, there are common approaches every security organization should build into their IR plans. The first is to understand that a data breach is not just a cybersecurity issue – it’s a corporate crisis issue and should be treated as such. And, as with any corporate crisis, there should be a pre-defined cross-functional team in place to execute on the IR plan. The CISO should immerse the cybersecurity organization and business leaders in realistic and complex cyber incident simulations to test and develop “muscle memory” of roles, responsibilities and a unified communications approach.
Within that plan, there are some fundamental steps that need to be taken:
- Contain the breach: The first step is to understand the extent of the intrusion, isolate the attacker and prevent further lateral movement through the network.
- Assess the breach: Understand the extent to which data has been accessed and exfiltrated. Is it usable? Is it regulated? Who does it impact? This is why it’s critical for cybersecurity organizations to collaborate with risk, confidentiality, data privacy, communications, etc. They need the full support of the business.
- Manage the fallout: Once the full extent of the breach is understood, the next steps should be clear.
- Remediate: Address the breach by limiting the amount of damage it can potentially cause to your business. For example, encrypted and unregulated data will require limited action. But regulated and usable privacy information will require an activation of the cross-functional team to manage legal, regulatory and reputational issues.
- Root-cause analysis: Attempt to determine specifically what happened, why it happened, and what you can do to keep it from happening again. This is not just a technical review as policies or infrastructure may need to be changed.
Communication Drives Effective Incident Response
Timely, transparent and informative communications can be the leading factor in an effective IR. Given the massive volume of security incidents occurring today, most stakeholders will forgive a company for being breached. They will not forgive a company that does not appear transparent in its efforts to disclose and mitigate the potential damage of a breach. There are three key audiences that need to be addressed as part of the IR communications process:
- Internal leaders: It is important to keep the necessary business leaders informed throughout the IR process. Even if it is determined the breach does not require public disclosure and did not involve sensitive data, they should be aware of the status. Obviously, if the data is sensitive or regulated, then the cross-functional crisis management team should be activated to execute the IR plan.
- External stakeholders: Communicating timely with clients, external vendors, the general public and any other external parties potentially impacted by the breach can reduce the risk of legal, regulatory and brand damage. Getting the external communications right builds trust and can have a major impact on the resilience of the organization from a breach.
- Internal employees: Employees should be informed about the nature of the breach and if it included any employee personal information. Additionally, employees should be reminded that unsafe cyber behavior is a major risk to the organization and guided to educational resources on safe email use and web browsing.
This last point is a critical one. Poor employee behavior will defeat even the most advanced cybersecurity controls. And while CISOs can’t fully control how employees conduct themselves online and over email, they can reduce the risks from bad behavior by consistently reinforcing good behavior with an effective cyber training and awareness program. And when that happens, they can also reduce the likelihood that they’ll have to execute that IR plan for real.
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”), its global network of member firms, and their related entities (collectively, the “Deloitte organization”). DTTL (also referred to as “Deloitte Global”) and each of its member firms and related entities are legally separate and independent entities, which cannot obligate or bind each other in respect of third parties. DTTL and each DTTL member firm and related entity is liable only for its own acts and omissions, and not those of each other. DTTL does not provide services to clients. Please see www.deloitte.com/about to learn more.
Deloitte is a leading global provider of audit and assurance, consulting, financial advisory, risk advisory, tax and related services. Our global network of member firms and related entities in more than 150 countries and territories (collectively, the “Deloitte organization”) serves four out of five Fortune Global 500® companies. Learn how Deloitte’s approximately 330,000 people make an impact that matters at www.deloitte.com.
This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited (“DTTL”), its global network of member firms or their related entities (collectively, the “Deloitte organization”) is, by means of this communication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser.
No representations, warranties or undertakings (express or implied) are given as to the accuracy or completeness of the information in this communication, and none of DTTL, its member firms, related entities, employees or agents shall be liable or responsible for any loss or damage whatsoever arising directly or indirectly in connection with any person relying on this communication. DTTL and each of its member firms, and their related entities, are legally separate and independent entities.
© 2021. For information, contact Deloitte Global.