The operational nature of cybersecurity in an organization is critical to its success and legal health. In light of recent developments such as the SEC prosecution of SolarWinds, the upcoming implementation of its new reporting rules, the growing strength of the GDPR enforcement regime in Europe, the need to maintain resilience in the insurance sector, and countless related developments, it is clear the nature of protections regulators are looking for. , will be the main focus of litigants, the court and, of course, business partners in the supply chain. A fundamental concern will be the size of the response to the incident.

So here’s an idea for you. If you were asked to draw a simple diagram to represent safety, would you draw a line or a circle? Then, for your diagram, what labels will you add to it? Would your tastes change if you started with a label?

If you look at the topic of security this way – as an idea – you will draw a circle, even if you start with a line. Labels force you to go there.

Cyber ​​Security Ransomware Email Phishing Encrypted Technology, Digital Information Protected Safe getty

Clear classifications are available for safety labeling. You have choices about which one to use and what level of granularity to apply. A useful label is “prevent”, in the sense that you would like to prevent a security breach from occurring. The second is “detection,” because you want to know when a breach, or an event that could lead to a breach, has occurred. The second is “Reply,” because you can’t ignore a violation. You have to deal with them.

When we lay it out this way, you have a logical flow of requirements and it gives us a line. But thinking about it some more, we would not want to face a repeat of the violation, or a similar incident. We want to stop the repetition, which helps us realize that the line folds back on itself, giving us a circle.

We can try another idea piece. What came first, the chicken or the egg? The answer is that it doesn’t matter and can we circumvent this dilemma by reframing the question: What do we want? The answer is that we need both chickens and eggs. We need that cycle, a cycle of life.

Operational focal point for security posture

Now, these thought pieces are not idle speculation, because they take us to two operational focal points. The first focal point is that we will actually find a circular formulation in the standards for best practice for quality assurance of processes. Sometimes this is known as the Deming Cycle, or Plan Do Check Act. The second focal point is the operational reality of the incident response itself.

The key question is whether our operational reality is providing a circle, or just a line. If it is giving a line for incident response, two results will come up. First, the incident response will not be in line with best practice. Second, due to the intersection of operational security and security law, incident response will not provide legal compliance if the circumstances and context of the incident are subject to legal duties (considering the vastness of the scope of security law, the most appropriate starting point is Let us assume that this is the case).

do not get me wrong; Some organizations are excellent at incident response. This is important to say, because if excellence can be achieved, there must be compelling reasons not to do so. However, my experience is that it is very rare to give an operating cycle, or even an estimate of one, for incident response. Most often, this provides a flat line, or if there is something looping back to prevent feedback, the diagram looks like a ski, or a show shoe, or a U-turn, but not a circle.

Weaknesses in incident response

There are many reasons for this incident. One is related to silos, which leads to failure to respond holistically. Silos exist in incident response for many reasons. One reason is that the response is one-dimensional, using a single skill set, so it does not address all other issues beyond that skill set. The second reason is the different levels of understanding, skills, resources and priorities in the multidisciplinary response. The problem of mixed priorities in multidisciplinary response arises from the fact that response is not the “core business” for all members of the incident response team.

Let me break it down a bit. For example, if you have plans for incident response in line with international best practice, according to the ISO/IEC 27035 family of international standards, you may have formed an “incident management team”, which includes an “incident coordinator”. shall include. ” and a variety of different specialists that make up the incident response team itself. You will also have process connectivity to other business functions such as change management and business continuity. If you use NIST you will create similar structures, even if you -Will use different labels.

Collectively, this means there will be a range of actors involved in incident response, from people with full-time roles in cybersecurity to those who only get involved when things go wrong. Therefore, reacting to the incident is the main business for some people, but not for others.

This drives a race to the end of the line, rather than completion of the cycle, as people in ad-hoc roles in cybersecurity want the problem to be over and put to bed as quickly as possible, so they can return. . Their main occupation. Thus, when the short-term and immediate goals of the response are accomplished, incident responders begin to leave the scene. The circle is not complete.

This will be most obvious to those who have been involved in a serious incident. If that misfortune happened to you, what was your experience like? Was it “all the way”, high octane intensity for a short period of time, followed by a gradual decrease in intensity and engagement? Do you sense or suspect potential shortcomings, or unfinished business?

You see, the reality of incident response in most cases is that, apart from technical roles, there is usually insufficient activity to properly learn and act on the lessons, so that response can be transformed into prevention.

supply chains

A good example relates to supply chains, which encompasses everything from the use of third-party technology providers to MSPs. In a supply chain incident, the root cause may be weak security controls around the servers. However, the preventive actions needed to avoid recurrence may relate to the procurement of third-party support, or institutional processes for the assurance of that support. If the response only fixes controls around the server, and not the underlying procurement or assurance processes, then you have operated a line, not a circle. Your work may seem complete, but it really isn’t.

Therefore, what we need to focus on is the need for a post-incident intensive review (PIR), so that all the lessons of the incident response can be learned and acted upon. This is required by operational safety and security legislation.

post event review

Practically, how can you tell if lessons have been learned and acted upon? Well let PIR be your atlas. It should provide a clear topography of all the issues that need to be addressed in the context of your organization and event. The atlas includes root cause analysis across some large continents and domains, re-running the risk assessment process, and adjusting control frameworks based on the results. You need to be able to have your hands on plans and records of output for this type of thing. If you find you can’t do this, your incident response has probably failed, operationally and legally, even if you have patched the server.

So, if you had to draw a simple diagram to represent security in your organization, would you draw a line or a circle?