Reloaded: Paying Lip Service to Incident Response

Drazen Drazic

Drazen Drazic is the managing director of Securus Global, a leading Information Security consulting organisation specialising in application and network security, penetration testing and product testing for international security vendors. He is engaged as a consultant across most industry sectors on Information Security policy and strategy. In earlier times, he has headed up Information Security for a global investment bank and Big-Four professional services firm, been a regional IT director and has spent years promoting and talking about information security. Twitter: @ddrazic

"It will take a massive incident for our company to wake up to itself!" How often do you hear that in the information security industry? All the time — so what generally happens when things go horribly wrong after the "incident" occurs?

Here's how the scenario plays out:

1. A big internal WTFJHM (What The **** Just Happened Meeting) takes place. (Generally 95 per cent executives with no idea and 5 per cent staff — with some idea).

2. The meeting will go along the lines of:

  • What happened? Do we know? (Regardless, we'll tell the media we do and that it's not what they think).

  • How did it happen?

  • What's the risk to our revenue and share price?

  • Who's to blame? Can we blame someone else? (Response for anyone potentially in the firing: adopt the ‘three wise monkeys’ approach, say "We didn’t know something like this could happen", blame APT.)

Alternative Text

  • Do we have some "friendly" media mates who we can use to get some spin out?

  • How do we actually fix this problem?
  • 3. Draft a press statement along the lines of: "We take our client information very seriously, and always have!". Where possible, find a scapegoat. Nowadays, use the ‘APT’ line of defence because that is the “save our backside” line that works consistently!

    4. Call in IT to fix the problem so that the media can be told that it's all under control. Sit back and wait for the magic to happen.

    5. When IT explains the greater problem and what investment is required to fix and to stay on top of it, check whether media is still running hot on the story.

    • If media is still interested, tell them “we” are tirelessly working on it to ensure that it never happens again and reinforce statement regarding care for client information security. (Bloody APT). Then give IT lip service along with bare minimum support and funds to do some bare minimum security theatre. (Do we need a penetration test to demonstrate we’ve done something?)

    • If media has moved onto something else, perhaps the latest Kardashian ‘leaked’ video scandal, quickly lose interest and get on with business as usual.

    6. Has the storm blown over? If not, repeat step 5. If it has, move to step 7.

    7. Wipe incident from memory. (After all, Australia has no regulators to worry about and, besides, history shows that data security breaches in large companies rarely result in any noticeable long term loss of business).

    8. Keep IT security spending at bare minimum and ignore IT security team reminders of the incident. What incident? Something about APT?

    In my experience, the only time it plays out differently is when some form of regulator is involved (for example, PCI DSS and the Payment Card Brands). If no one holds a big stick over the company, little changes regarding their long-term corporate security practices and mind set.

    As an industry, we must remain vocal and continue to push for change. No one else out there knows the extent of how bad things really are in data security these days.

    If we don't speak up, who will? As usual, I welcome your thoughts.

    Drazen Drazic is managing director at Securus Global.

    Follow @CSO_Australia and sign up to the CSO Australia newsletter.

    Show Comments