Too many organizations fail on incident response because they’re working from identikit plans with no agility to adapt to uncertainty, according to experts at Infosecurity Europe.
A panel debate on the final day of the show brought together CISOs, legal and PR experts to discuss what commonly goes wrong and how firms can improve their rapid response to a serious incident.
Nick Andrews, reputation management lead at PR firm Fleischmann Hillard, argued that too many internal processes are built around “assumed convenience” without realizing that when an incident hits, things can quickly escalate.
"Real life is messy and not neat. As soon as anything goes external you lose control,” he said. “Most organizations don’t think the unthinkable. We’re trying to create organizations that are nimble and can cope with the reality of uncertainty.”
Hunton & Williams partner, Bridget Treacy, added that too many plans are “cut and pasted” from other organizations without proper testing, meaning they can lack relevance.
She also argued that siloed approaches are also doomed to failure.
“It’s not just the responsibility of your information security people. Others need to participate,” she said. “Too often the right people are not being brought in at the right time into the mix. It can make a big difference to handling a breach.”
Communication was highlighted as a key aspect of effective incident response; both within the organization and in terms of how it engages with customers, media and regulators.
With so many interested parties that need to be informed, from the CEO to the ICO, “communication at various levels is the most critical type of work that needs to be done,” claimed Mashreq Bank CISO, Tamer Gamali.
Pearson IT security officer, Vincent Blake, added that the same skill is vital for CISOs.
“CISOs have got to be excellent communicators and entrepreneurial,” he argued. They need to be engaging so they can get issues across to the board.”
The discussion topic has extra relevance given the GDPR mandates 72-hour breach disclosures, reducing the potential window organizations have to gather information before they need to go public.
Several attendees claimed that few organizations will know much after just 72-hours, although Blake claimed that if forensics are situated front-and-centre in the security function they could gather a significant amount of information in just the first few hours.
However, a trained incident manager is essential to marshal these efforts, he added.