Enterprise Organizations Need Formal Incident Response Programs

I spent the early part of my IT career in the storage industry, mostly with EMC Corporation. Back then, large storage subsystems were equated with IBM mainframe computers, with a heavy emphasis on the financial services market.

Given this market alignment, I became quite familiar with the concept of business continuity/disaster recovery (BC/DR) way back in the 1990s. Techopedia defines BC/DR as follows:

Business continuity and disaster recovery (BCDR or BC/DR) is a set of processes and techniques used to help an organization recover from a disaster and continue or resume routine business operations. It is a broad term that combines the roles and functions of IT and business in the aftermath of a disaster.

Now enterprise organizations tend to take BC/DR extremely seriously. In fact, BC/DR programs are often very formal where details are documented, organizations conduct BC/DR practice drills, and CIOs are on the hook to resume IT operations with metrics like RTOs (recovery time objectives) and RPOs (recovery point objectives). BC/DR programs also go beyond IT alone and include contingency plans for the loss of facilities, employees, supply chains, etc. Finally, BC/DR is more than just a best practice, it is a compliance requirement associated with regulations like Basel II, FFIEC, GLBA, HIPAA, ISO 9000, etc. In some of the regulations like FFIEC, corporate boards are held accountable for ensuring that a comprehensive BC/DR plan has been implemented.

With BC/DR excellence at enterprise organizations, I find it extremely ironic that a lot of large firms don’t put forth the same type of programs and effort around incident response programs. In spite of the rash of data breaches over the past few years, many large organizations still minimize incident response programs, delegate them to IT/infosec groups, or think of them as checkbox exercises!

Fortunately, this is starting to change. PCI DSS section 12.9 mandates that retailers and banks create an incident response plan to be implemented in the event of a system breach that includes roles and responsibilities, specific incident response procedures, data backup processes, etc. Likewise, the SEC has hinted that incident response plans will become more stringent and explicit in the near future.

Now it’s great that the PCI DSS council, SEC, and other regulatory bodies are pushing enterprise organizations in this direction, but it’s just plain crazy that they aren’t doing this on their own. Have they followed the threat landscape? Have they studied what happened at ChoicePoint, the New York Times, Target, and TJX?

In my humble opinion, every enterprise-class organizations needs to bridge this gap by creating a formal incident response plan as soon as possible. Furthermore, this plan should:

  1. Span the organization. CIOs and CISOs have a lot of responsibility, but a good plan must also include corporate executives and boards, line of business managers, PR/IR, sales and marketing, and legal. CEOs should be held accountable for quarterbacking this effort. This degree of collaboration is crucial so that the organization knows how to respond, what to say, and when to say it to minimize the damages.
  2. Be documented and tested from start-to-finish. From my experience, there is still too much “winging it” with incident response: PR/IR doesn’t know what to say, lawyers with little cybersecurity experience take the lead, details are sketchy and don’t make sense, etc. This ALWAYS results in greater damage and higher cost as organizations miss details, contradict themselves, or withhold information to key constituencies like business partners, customers, employees, and shareholders. To avoid these pitfalls, IR plans must be planned, implemented, and tested with military precision.
  3. Be industry-specific. There are lots of resources about IR programs available from NIST, ISO, SANS, etc. Great start, but incident response communications, liabilities, and processes must be industry-specific while accounting for geographic and cultural subtleties as well. After all, a security breach exposing health care information may be far more personal than credit card information theft.

Like BC/DR, large organizations will need adequate resources, skills, and technologies to get their IR programs right. This may require help from service providers like Accenture, Booz Allen, E&Y, HP, IBM and Sungard, or SaaS providers like Co3 offering software that can help organizations track IR processes, workflow, project plans, etc. Given the insidious threat landscape and current immature state of many IR plans, CEOs should push forward with IR program improvement initiatives ASAP.

Topics: Cybersecurity Data Protection