Winning the Cyber-Security Race: An Agile Response to Incident Management

This is a two-part series on the roles involved in managing and responding to security incidents. Read part one: Dealing with a Cyber Attack: Who’s in Charge?

Every information security incident is the start of race, the race to determine the risks and compliance requirements surrounding the incident before potential victims are harmed and compliance deadlines are missed. Yet, too often, information security, compliance, privacy, and other functions are not operating as a team to win this race. As cyber-security threats escalate, savvy organizations are taking a hard look at both their organizational structure and their incident-response processes and seeking ways to move to a more collaborative, integrated approach to incident management.

Organizing to Win

There is a great deal of debate right now in the privacy and security offices about where the CISO should report in order to best protect an organization from risks of data breaches. A recent survey in The Wall Street Journal[1] sparked a heated debate: some readers said the CISO should report to the CEO in order to best manage business risk and avoid conflicts of interest with the IT team, and others argued that only the CIO could provide the right oversight for the CISO function. Industry expert John Kirkwood argues that it depends on whether the CISO’s focus is primarily on technical information security, business security, or strategic information security.[2] Perhaps more important than the reporting structure is the CISO’s span of control. If both information security and privacy are gathered under one organizational umbrella, it can help the response team to work more holistically.

Sequential And Slow

The right reporting structure can create more effective governance of security and privacy issues, but the organization of the front-line team determines how effectively security incidents are identified and managed every day. In many organizations today, incident response is run like a relay race, typically starting with information security and with each response function handing off to the next in sequence. With each leg, the clock is ticking, and at each handoff, vital information may be lost.

As of 2014, the most common cause of data breaches is cyber-attacks[3], and the information security team is the obvious first responder to any data security-related event. An information security person will see suspicious activity in a system log or an alert from security software, and investigate to determine whether the event is actually a security incident and whether to escalate to an incident response team. If the incident is escalated, the compliance team may then decide whether to involve legal council, the PR department, and other functions.

This sequential approach has several risks and shortfalls. Critical handoffs may not happen at all or critical information may be lost because the information security team is not expert in compliance requirements, the compliance team is not expert in forensics or preserving a chain of evidence, etc. There is also the potential for a conflict of interest: a data breach means that some aspect of security has failed, so the information security team has an inherent disincentive to identify an incident as a breach. Finally, a sequential response is inherently slower, and because the compliance team isn’t typically involved from the start, there is the chance that important reporting or notification deadlines could be missed.

Moving to an Agile Model

It takes a combination of specialties to handle a data security incident in a way that fully protects the organization. Instead of a relay race, cross-functional teams certainly need a more agile way to react to the multiple threats of cyber-theft, compliance, litigation, and loss of business.

Over the last decade, other disciplines such as software and marketing have adopted aspects of a project management model called “agile”, a method in which requirements and solutions evolve through collaboration between self-organizing, cross-functional teams. In agile management, people with different areas of expertise work together towards clearly defined goals based on business priorities, giving brief progress reports daily and adjusting priorities based on the developing situation. At regular intervals, the situation is reassessed in the context of the business priorities and the work already accomplished, and the tasks and priorities are revised.

Each security incident is unique, and a multi-stage response is necessary to effectively address the full range of risks. In the discovery phase, experts in security and compliance need to conduct forensic and other analysis to discover and document the key facts of the incident. These then need to be assessed against the complete, current matrix of federal and relevant state rules to determine whether there is requirement for notification. Business risk managers also need to look at the demographics of the breach population and determine the risks of harm to victims and potential public relations and litigation risks. Together, the various experts will then formulate a response plan tailored to the identified risks to the business and breach victims, and then execute the plan, gathering metrics and keeping documentation as the response is carried out.

The agile model divides projects into time-critical segments, each with a well-defined focus, so the model dovetails well with a 4-factor incident response process. Here are some steps your organization can take to move towards a more agile incident response process:

• Identify a first-response team, with representatives from information security, compliance, privacy, legal, and any other disciplines appropriate to the risks of your business.
• Create a process where the whole team is notified as soon as there is a potential incident so that each functional area can determine what actions to take. Ideally, have the team meet regularly and review all security events. This will prevent potential incidents from being overlooked, and the team members will build awareness of the needs of other functional areas.
• Provide tools and processes to ensure that Information is shared and documented as a built-in part of the response process.
• Conduct regular reviews with the whole team to report progress, review business priorities, and assess next steps.

This kind of integrated approach not only enables accurate assessment of the incident from all standpoints, it also positions each functional team to provide effective response and risk management if the incident is determined to be a breach.

The Race Goes to the Swift

In the end, the question of organizational structure may become a moot point. What is certain is that as cyber-attacks increase and cause more pain to victims and the organization, there will be more concern on the part of boards, more will to address the problem, and even more accountability for the executives in charge of privacy and security. The real question is how those functions can organize themselves how to respond effectively to the increasing volume and complexity of security incidents. The critical question is not who’s in charge, but how effectively the multi-functional team can work together to evaluate the situation, come up with a strategy, and mount a defense. Until that happens, the contest will be lost and the criminals will continue to be in charge.

This is a two-part series on the roles involved in managing and responding to security incidents. Read part one: Dealing with a Cyber Attack: Who’s in Charge?