The Secureworks ® Incident Response proactive consulting practice develops incident response (IR) plans, performs IR plan gap analyses, and facilitates tabletop exercises featuring various security risks to the more than 4,000 customers in our base. Over time we have analyzed findings from each engagement, and the patterns that emerge show consistent challenges to organizational security posture and response capabilities.
This 5-part blog series details the top 5 challenges we see when we’re called in to do a proactive incident response engagement. As these are systemic, widespread issues, we want to raise awareness and share our guidance to help your organization get ahead of them.
The first blog in this series looked at what should be considered the basic foundation of any security practice: the definition of “incident.” Click here to read part 1.
The second in this series discussed another relatively simple item: the contact list. Click here to read part 2.
The third in this series explored what few organizations do well: data governance. Click here to read part 3.
The fourth in this series turned to another issue that may not be directly security related, and at times not very technical: third parties, or alternatively, the “cyber supply chain.” Click here to read part 4.
This fifth and final post of the series provides tips on managing cybersecurity as a business risk, and it wraps up some patterns we’ve seen as security-related “norms” across the companies we encounter.
Cybersecurity is looked at as the voice of “no” in organizations where it is believed that security hinders business. Phonetically correct; definitionally wrong. In reality, security is the voice of “know.” Properly done, security enables organizations to put appropriate measures in place to ensure that the business continues without damaging events.
The intersection of cybersecurity and corporate governance is an area every organization needs to develop. Security and incident response are not technical functions. They are essential business processes with a strong technical component due to the intimate relationship between organizations and their data.
Board involvement is crucial. Senior management and the board need to have open dialogue about expectations regarding risk tolerance, budget considerations, IR planning, and breach response.
Incorporate security at the highest levels into your vision and mission. Leaders and team members look to these things for guidance when making important choices. Update your vision or organizational objective to clearly articulate that security is non-negotiable. This does not mean just the people who have security in their title (CISO, CSO), but also from other C-level executives all the way down to individual managers.
The people who do have security in their title should learn the language of business. Security issues are business risks to be properly addressed. Reports to C-level executives should not contain technical jargon. After all, one has to wonder how many organizations care that the Ugly Gorilla and Funky Monkey threat group targets vulnerabilities in Adobe Flash? Instead, tell them that the dancing logo on the website presents a strong risk to the organization and removing it will mitigate that risk. Further, let them know the removal’s expected impact to the organization, and the timeframe that the removal will require. If removal is not approved, be prepared with compensating control plans.
How can the risk be managed?
- Establish a governance framework.
- Maintain board engagement.
- Produce supporting policies.
- Adopt a lifecycle approach to risk management.
- Apply appropriate recognized standards.
- Make use of endorsed assurance schemes for controls that should be put in place to manage risk.
- Educate users and maintain awareness.
- Promote a risk management culture.
- Security is the voice of “know.” Just make sure that voice addresses risk.
That concludes our series on the Top 5 Findings From our Proactive Incident Response Engagements – a snapshot of the most typical challenges faced by organizations we encounter, and therefore areas we recommend for your attention. Our dataset is always growing, so new patterns emerge and we will continue to use that data to aid our customers in their growth along the security maturity curve.