Top 5 Stories


ISF finds post-incident review sorely lacking in IT security departments

21 November 2012

As IT departments continue to struggle with security effort prioritization, the Information Security Forum has launched the “You Could Be Next” report, which helps organizations to include post-incident review across three stages: impact assessment, root cause analysis and recommendations.

“Organizations cannot avoid serious incidents, and while many are good at incident management, few have a mature, structured approach for analyzing what went wrong. As a result, they’re incurring unnecessary costs and accepting inappropriate risks,” said Michael de Crespigny, CEO of the ISF.

The report found an alarming host of common issues preventing IT organizations from adequately implementing a closed-loop feedback system for security efforts. Often there is no post-incident review at all, leading to incomplete risk management and weak incident management, the ISF noted. Spending priorities are also an issue: incidents often cost more than is immediately apparent, whether the organization knows it or not, but organizations may be spending inappropriately on low-value measures that fail to match up to the higher-cost threats. For instance, an over-emphasis on “black swans” can detract from higher value activities, ISF said.

It also found that poor incident management can create damage far beyond the incident itself, but that the incidents that result in major impacts do not always have major causes. “Businesses may be focusing on areas that should have a lower priority, fixing symptoms instead of causes, or worse, not spending where it’s needed to prevent an incident,” the organization noted in a statement, adding that the long-term ramifications of that should be of concern.

“While immediate and obvious costs may be easy to calculate, determining the incremental, long-term or intangible costs of a security incident can be difficult,” ISF said.

“Without a proper impact assessment, businesses don’t know the incremental, long-term or intangible costs of an incident – but those costs still hit the bottom line, costing the organization money,” de Crespigny said. He added it’s critical that executives “better understand how to respond more quickly and develop the resilience needed to survive the impacts from today’s complex security threats.”

This article is featured in:
Business Continuity and Disaster Recovery  •  Industry News  •  Internet and Network Security  •  IT Forensics  •  Security Training and Education


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×