“Organizations cannot avoid serious incidents, and while many are good at incident management, few have a mature, structured approach for analyzing what went wrong. As a result, they’re incurring unnecessary costs and accepting inappropriate risks,” said Michael de Crespigny, CEO of the ISF.
The report found an alarming host of common issues preventing IT organizations from adequately implementing a closed-loop feedback system for security efforts. Often there is no post-incident review at all, leading to incomplete risk management and weak incident management, the ISF noted. Spending priorities are also an issue: incidents often cost more than is immediately apparent, whether the organization knows it or not, but organizations may be spending inappropriately on low-value measures that fail to match up to the higher-cost threats. For instance, an over-emphasis on “black swans” can detract from higher value activities, ISF said.
It also found that poor incident management can create damage far beyond the incident itself, but that the incidents that result in major impacts do not always have major causes. “Businesses may be focusing on areas that should have a lower priority, fixing symptoms instead of causes, or worse, not spending where it’s needed to prevent an incident,” the organization noted in a statement, adding that the long-term ramifications of that should be of concern.
“While immediate and obvious costs may be easy to calculate, determining the incremental, long-term or intangible costs of a security incident can be difficult,” ISF said.
“Without a proper impact assessment, businesses don’t know the incremental, long-term or intangible costs of an incident – but those costs still hit the bottom line, costing the organization money,” de Crespigny said. He added it’s critical that executives “better understand how to respond more quickly and develop the resilience needed to survive the impacts from today’s complex security threats.”