Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
All business leaders, including those on executive boards and committees, are expected to prepare their corporate responses to security incidents ahead of time, rather than react when an incident occurs. This piece provides some foundational guidance
for executives, detailing exactly what is expected of them before, during and after a security incident.
Organizations are responsible for protecting a variety of confidential business information, all while adhering to an assortment of compliance and regulations. Regulatory agencies are levying fines and sanctions for lack of data protection and poor incident
response (IR). Organizations are now facing above-average pressure to defend their systems and data from accidental breach and deliberate outside attack.
All leaders across the organization, including those on executive boards and committees, are expected to have IR scenarios planned and their corporate responses prepared ahead of time, rather than simply reacting when a security incident occurs. The following
six steps provide some foundational guidance.
Leading in times of crisis is an executive management duty. Failure to come to a consensus on key policy decisions during an incident (e.g., whether to pay a ransom or hire outside expertise, how and what to communicate to key stakeholders, etc.) causes
stress, confusion and mistakes.
Regular executive tabletop exercises that present the most likely incident scenarios and enable executives to role-play responses is a necessary component to being prepared.
Management at the highest level should be expected to help define the top, most likely loss/attack scenarios and participate in regular executive-level tabletop exercises to test assumptions, unify policy decision-making and verify the completeness
of response playbooks.
Incidents often occur at inconvenient times. Outside attackers deliberately choose dates and times when the business is distracted or vacationing. Management must have a playbook that enables the organization to take the first steps to respond smoothly
Many people in the organization will be asked to lead in a serious incident, but few have been through real battle conditions. Without an incident playbook, “learning on the job” will create confusion and delays and lead to mistakes. Playbooks
When an incident is declared, the first steps are to secure the safety of individuals and systems and stop the bleeding. Teams must identify the initial source of the intrusion and shut down related components (e.g., workstations, compromised credentials,
servers, websites, etc.) to close whatever holes caused the incident. Executives can participate here by keeping the team focused on the task at hand. They should also request a rough estimate of impact (best case, worst case, most likely) to be used
as a basis for planning next steps.
DOWNLOAD: Essential Guide: Ransomware Prevention and Response
Significant incidents spread quickly through the organization and out into the business world. Various business and department heads will need to be mobilized. Some examples include:
Outside vendors with previous experience will also need to be used. Statements of work will need to be negotiated and on the shelf so these experts can quickly assist in the investigation and remediation phases. Some examples include:
Clear and accurate information is seldom available in the early stages of an incident. Executives should avoid making firm or detailed statements to the outside world that will have to be walked back later. Instead, allow the situation to evolve.
As details of the data and systems impacted become clearer, seek guidance regarding regulatory reporting. Pay particular attention to when the notification timeline “starts ticking,” meaning the timeline doesn’t start on the day you
first learn about the incident. You are allowed time for investigation, analysis and confirmation.
To preserve attorney-client privilege and control side-channel leakage, it is a good idea to have legal counsel and corporate communications control all information flow (externally and internally).
It’s also important to resist the desire to ask for frequent updates from the technical team. Frequent meetings force key workers to focus on status meetings with business executives rather than getting up-to-date answers and making progress on
incident containment and response.
Be aware that conversations, meeting notes, emails, documents, etc., associated with the incident may be discoverable. All those involved in the initial response, repair, investigation and eventual remediation must be aware that incident artifacts cannot
be arbitrarily destroyed or altered.
Executives should ensure the IT group, in cooperation with the legal department, places the appropriate legal holds and secures copies of all artifacts during and after the response.
Incidents often have long tails. Executives must manage the post-incident fallout and strike a balance between transparency and legal exposure for any statements admitting guilt/culpability. They must also pay for the extra costs incurred via budget realignment
and engagement with cyber insurance companies.
READ: What Security Teams Want to Know About Responding to Ransomware Attacks
The time to start planning to respond to an incident is now. Executives across the organization should:
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
February 29, 2024
By IANS Research
Access key data sets from the 2023 -2024 IANS and Artico Search’s Cybersecurity Staff Compensation Benchmark Report. Gain valuable insights on cybersecurity staff roles to hire and retain top security talent.
Access key data from IANS and Artico Search’s Compensation, Budget and Satisfaction for CISOs in Financial Services, 2023-2024 report. Find valuable insights around the Financial Services CISO role to help better understand your situation, improve job satisfaction and drive organizational change.
February 21, 2024
Learn why cloud IR is critical to security and not just another box to check. Find guidance to get started building a strong cloud IR program.