Caroline McCaffery is the CEO & cofounder at ClearOPS, a Generative AI automation platform for security experts.
It’s time to update your incident response policies. Typically, an incident response plan lays out a process of identification, containment, investigation, attribution, remediation and communication. Once all of the following is complete, the team conducts a post-mortem to improve their process based on their learnings.
Cybersecurity is a fast-moving field, and recent cases against chief information security officers (CISOs) offer learnings that encourage us to revisit our policy for improvements. As CISOs are coming under even more scrutiny in how they handle incidents, I want to explore what the courts and the SEC have been focused on so that you can adjust your own incident response processes accordingly.
Ensuring Flexibility During The Process Without Losing Internal Communication
Flexibility and clear, appropriate internal communication are two critical factors when it comes to incident response policies. One example is the case against Joe Sullivan, former CSO at Uber and member of its incident response team.
During the attribution phase of the incident, Sullivan deployed an atypical tactic to uncover the identity of the hackers by using the company’s bug bounty program. While this tactic was successful, the incident had to be kept quiet, even internally, so that the attackers did not get wind of the trick.
Any level of secrecy within the incident response team means that the identified incident team members may not be able to do their jobs effectively, if at all. If there is a need for limited involvement of incident response team members, such secrets need to be short-lived and the process of the plan re-enabled as soon as possible. Getting the incident response team together during the remediation phase could help afford the opportunity to improve internal communication leading to proper external communication.
The outcome of the case saw Sullivan charged with obstruction and misprision, highlighting how essential it is for each phase of the incident response process to have enough flexibility to appropriately respond to the type of incident while also identifying clear roles and responsibilities. This way, no room is left for assumptions.
Expertise In Reporting Incidents In A Timely Manner
When faced with an incident, it can be daunting to know how to handle the press and media coverage. Preparing the incident response team with the skills they need for external communication is critical, especially as the window is quite short, as we see with the proposed SEC rules for public companies.
According to SEC release No. 33-11038 Cybersecurity Risk Management, Strategy, Governance and Incident Disclosure, which is a proposed public company rule, material cybersecurity incidents must be reported in a timely manner (four days).
Tim Brown, CISO of SolarWinds, has stated that to be a CISO these days means being an expert on speaking to the media and taking the brunt of any incident fallout. He raises a good point that the incident response team must be trained to handle the intense public scrutiny that incidents cause, especially now that the disclosure requirements are codified.
To ensure that your team is prepared to report any incident within the four-day window, it’s important to find experts who can train them on what to say and how to say the facts surrounding a breach. For sure, the facts will change, and knowing how to make public disclosures while also preserving caution when facts are proven wrong in real time is not a skill most people possess. For this reason, it is important that marketing is part of the incident response team and that an external communications expert is consulted. Even better, have a few pre-written responses, whether a blog post, email alert or 8-K notice that can be tweaked quickly when the time comes.
Final Thoughts
It is clear that the incident response plan is a critical document requiring thought and preparation. I recommend you review your incident response plan as soon as possible and adjust it based on what we can learn from the incident response cases of today.
Each phase of the incident must have a dedicated team with clear authority and communication such that, if the investigation requires a higher level of confidentiality and a smaller team, once it is complete, the remediation team should reconvene to maximize internal communication channels.
Furthermore, the full incident team needs to not only be trained on incident response but also on how to handle media and press coverage. A crisis is not the best time to be learning in real time, which is why putting together an incident response plan and practicing it is the best course of action your company can take.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
Read the full article here