With few companies actually doing regular data-breach rehearsals, many CISOs will be at a loss as to exactly how to kick off a response after they detect a data breach.
The key, according to IOOF Holdings head of cybersecurity Ashutosh Kapsé, is to not panic – and then to begin analysing the situation with the knowledge that you’ll never get on top of the situation by yourself.
“Don’t panic,” he told the audience during an expert panel session at the recent CSO-Kaspersky Labs Cyber Insights event. “Try to analyse exactly what has happened, calmly and in a balanced manner. If you are at the CISO level, you are probably too low in the organisation to be dealing with this by yourself; you need to involve the CEO and board level people.”
That may be tricky given a likely “very stressful event” as the CEO prepares to front up to the media, but CISOs shouldn’t take it personally if they aren’t well enough equipped to handle the response, he added: “no one has enough money or resources” to handle it correctly.
Clarification about any cybersecurity insurance policies and an understanding of exactly what they do and do not cover, Kapsé said, and a good early investment in data collection and security analytics can be invaluable in coping when a breach eventually does occur.
“Someone needs to be delegated to be properly looking at the reports and providing data to the board,” he explained. “It is absolutely important to give the board and C-level executives this ability and control: once they feel the spotlight is on them, they will absolutely panic and make it difficult for you and your team to get this done.”
A clear message with clear timeframes can be essential in managing that panic: tell executives that you’ll get back to them in 20 minutes, he said, or they will be calling every 3 minutes for an update.
Doing that post-breach analysis is likely to take longer than 20 minutes, Kaspersky Labs senior security researcher Noushin Shobab offered, particularly if you establish that an outside attacker was involved.
“You’ll have to get an emergency response team that is capable of doing different aspects of the technical investigation to understand what has happened,” she explained, “as well as what was the nature of that hack, when and how the attackers got into your system, and which parts of the network are expected to be able to stop the attackers from going further.”
One part of the network that always needs close examination is the people using it, Telstra head of cybersecurity Jacqui McNamara offered.
“It comes back to how to educate users about security,” she said.
Guides such as ex-Telstra CISO Mike Burgess’ Five Knows of Cybersecurity, and the Office of the Australian Information Commissioner’s data breach management guide
One of the key things to know is how – or whether – the organisation has built security into its operational procedures, or whether it has fallen into what IDC vice president of blockchain and security research Simon Piff said was an all-too-common trap.
“We have an inflection point in the industry,” Piff said. “IT vendors and organisations have implemented IT and said ‘what about security? Don’t worry, that’s taken care of by the firewall.’... we have seen security [compromised] because of some bad decisions made by global organisations.”
Evolving SecDevOps paradigms offered a more integrated approach, he added, because when security is embedded at the base of the paradigm, “security ferments” and matures.
Yet making that happen in reality requires the CISO to be driving a much broader agenda than simply looking at information security, McNamara said.
“For a long time we have not seen the CISO role and CISO team as business leaders,” she said. “People asked why they would care about that, but they’ve really got to start. I think part of the CISO role now is engaging with business leaders.”
And this, Kapsé said, returns the discussion to the CISO’s clout at a business level: “the CISO’s main currency is trust,” she said. “The CISO’s level of trust with the other business leaders is of utmost importance and is absolutely key to the security of the organisation.”
As this trust is built, Piff said, CISOs will find they can be progressively more successful in driving regular, companywide cybersecurity drills to test out cyber response plans. Without early and ongoing executive support, he said, organisations may find out too late the consequences of failing to build up the right cybersecurity culture.
“In a lot of organisations the CISO is responsible for the security of all the devices, systems, and network,” Piff said. “But data security and management are a separate thing until that data is lost. But the CISO has no view of whether the organisations is encrypting or backing up data, and whether the snapshots are looked after. So when there is a breach, everyone asks ‘what are you doing?’”
“The question for CISOs is: since it’s all about the data, do you want to also take on the role of data manager? It should be whoever is looking after the security role.”