Organizations worldwide tend to mirror the culture of the country where they’re founded. Here in the United States, we have long maintained what I like to call a “Culture of Winning.”
Long before Charlie Sheen and his tiger blood became a pop culture phenomenon, we have been driven to be the best in everything we do. Our sports teams only matter when they win it all. We expect our Olympic teams to bring home the most gold medals. We strive to maintain our perceived status as the greatest nation on the planet. And of course, our companies must always be successful and be “the best.”
This culture of winning has certainly held true for decades, and many American companies have been both led the way technologically and maintained their financial success year over year.
However, this drive to always be the best commonly creates a huge negative for many organizations: an unwillingness to acknowledge even the possibility of failure. In the Information Security field, incident response is one of the most critical parts of any security program, but is often overlooked because, as one CISO once put it to me, “If we plan to fail, we’re acknowledging failure will happen, and our company doesn’t fail.”
I could almost hear Murphy gleefully laughing at his Law gearing up for a whammy of an example there.
The reality is, of course, that when it comes to any kind of security incident, it’s never a matter of if, but when. Whether that comes in the form of a natural disaster that impacts business operations, an external breach of critical data or intellectual property, or an insider threat which exfiltrates data or causes other damage to your organization’s functions, it is imperative that a proper security incident response plan is well-defined, documented and communicated to all the relevant parties within your company.
While there are many pieces to a great incident response effort, the most important is a buy-in from all parts of the organization, up to and including the very top executives. Nevertheless, getting this kind of buy-in to build a plan that specifically addresses what to do when things go wrong can be nearly impossible if your organization’s culture is one of always winning and never failing.
If you are part of a security program, find yourself fighting a culture of winning, and it doesn’t support your efforts to plan to address failure of any sort, consider highlighting some of these other benefits to your management team. These are all items which must be part of a successful incident response plan and will also bring operational benefits above and beyond the incident response plan itself.
If you are one of the lucky few who have full support within the organization for an incident response program, you still should ensure that your management team reaps all the benefits a formal plan can bring to your company.
If not, there are still plenty of ways to encourage your company to maintain its culture of winning without resorting to tiger blood infusions simply by highlighting the benefits by planning to handle failure with a proper incident response plan.