The three questions all CISOs should be prepared to answer (Part Three)

In the first two parts of this series, we addressed the questions "Are we secure?" and "Are we compliant?" In this final section we will address the question, "Are we ready?"

Are we ready?

Ready for what? For an incident of course! As I already mentioned in the first part of this series, if some of the world's largest corporations, security vendors, and intelligence agencies have suffered security breaches, the probability that your security program will be the exception is very low. So while you should do everything that is reasonable and prudent to prevent an incident, you should also ensure that you have appropriate processes in place to deal with an incident when, not if, the inevitable occurs.

One of the first steps in ensuring that you are ready is making sure that you have the appropriate controls in place to detect that an incident has occurred, hopefully before your clients or a journalist call you to tell you of the problem. If all of your controls are focused on prevention and you have little technology or process in place to deal with the detection of threats, I can tell you that you are likely already compromised.

Even if you do have detective controls and technologies in place, they do you no good if you do not devote the time and resources needed to tune them to your environment and then monitor their output so that you are alerted on suspicious items. As several recent large incidents have demonstrated, having preventative controls is one thing, using them effectively is another. Having centralized log monitoring where no one is looking at the logs, IDS/IPS where the majority of rules are turned off, AV with out-of-date signatures, advanced APT systems where no one follows up on the alerts, firewalls with "any - any" rules - the ways that technology can be implemented to give the appearance of security while actually delivering next to no benefit are endless.

You also need to think about your vendors. Assuming that you are involved in the negotiation of the contract as we discussed, you should have ensured that there were appropriate clauses in the contract to notify you in the event of a breach in their systems or an issue involving your data. Likewise, if you are a vendor you will likely have such stipulations in your contracts with your customers.

For all these scenarios, when a breach is detected, reported, or suspected - either internally or externally -  you must have an appropriate team in place to react, investigate, and triage the event. While many companies would report that they have a CSIRT (Computer Security Incident Response Team) in place to deal with the analysis of the incident through to containment, eradication, and remediation, this is only the foundation for the incident response process you will need. Additional items to consider include:

1. Do they have the appropriate contracts within the business to deal with the public/business aspects of an incident and not just the technology aspects? These include Public Relations, Sales (for incidents involving specific customers), Legal, HR (for incidents involving staff), and Business Leaders (in case the CEO needs to be briefed before they get called by customers, regulators, or the press) at a minimum. It is this higher-level incident response team that needs to coordinate any response to an incident that involves significant interactions with law enforcement, regulators, clients, customers, or the press.

2. Has the incident response team(s) determined likely incident scenarios and planned/rehearsed them prior to an actual incident? The time to work the kinks out of your incident response program is not when you are in the middle of fighting a real fire.

3. Do you have a post incident process in place to perform a root cause analysis on the incident to determine not only what went wrong but why? Without a thorough examination of why the problem occurred, it is very likely to be repeated down the road. This is one of the most commonly neglected items in incident response, either because of a lack of time or resources, or because of the perception that it will turn into a "hunt for the guilty" - perhaps within the security organization itself. However, when conducted in the spirit of learning and improvement for the organization as opposed to assigning blame, this can be an area where you can get the biggest payoffs in increasing the security of the organization.

When you are confident that all of the above measures are in place, then you will be prepared to answer in the affirmative regarding "Are we ready?".

The three questions that I covered in this series are the foundation of what you should be prepared to answer and discuss when speaking with your board or leadership. Based on your response to these questions there will doubtless be additional questions and lines of inquiry and discussion opened - which is ultimately the dialog that you want when discussing your information security program with your company's leadership.

Learn more about Online Business Systems’ Risk, Security and Privacy practice by clicking here. 

This piece was originally posted on LinkedIn Pulse and is reposted here with the permission of Michael Lines.