When it comes to best practices, proactively creating a security breach response plan falls somewhere between "paying your employees" and "not blowing your project budget on lottery tickets" on the common-sense scale. In an age where certain information can be as desirable as the most expensive luxury goods, knowing what to do before a compromise occurs means not learning on the fly. That's a crucial distinction when the threat of a security breach becomes a reality.
Emphasis on when. Breaches, as a recent Forrester report notes, aren't just highly likely these days — they're inevitable. With 45 percent of enterprises reporting at least one data breach in 2014 and 60 percent expecting to experience or find an existing one this year, any organization with a reliance on IT — that is to say, every organization — should move forward expecting that a breach will strike at some point.
For CISOs, that fact comes loaded with subtext. From job (and, indeed, career) security to the basic need to fill one's professional roles properly, crafting a competent response is less of a best practice and more of a necessity. Here's why:
And that's putting it mildly. The Forrester report's take on several recent high-profile breaches almost reads like a corporate episode of Game of Thrones: Businesses folding. Millions of dollars lost. Customer data winding up in nefarious hands of employees, board members fired for what amounts to dereliction of duty and so on.
That sounds brutal, but it's true. The reasons behind breaches are endless — Forrester cites a slew of motivations that "run the gamut from financial to political to retaliatory" — and the consequences, as noted, are all too real for the customers, companies and individual employees who suffer their effects.
While the financial bottom line is just that, assets such as reputation are as important as they are intangible. They become even more important when you realize an organization doesn't need to be remotely high-profile for a security breach to irrevocably tarnish its reputation. According to Forrester, 47 states and several territories (including Washington, D.C.) require reporting when a breach involves personal information.
The impact here is as huge as it is obvious: A breach might not make the news, but when the people impacted are the ones buying an affected organization's products and services to begin with, each bit of mandated correspondence becomes another arrow to the company's reputation. And over time, those arrows can fell even the sturdiest enterprises.
If you're in a CISO role, you already know security isn't a game of reactions — it's one of preparations. Security breach response plans are the logical extension of that idea.
They're also, depending on your exact duties and situation, a lot of other things: a one-way ticket to job security and a way to prove yourself an invaluable part of your organization's technological future, for instance.
Take this blog post. To sum it up, a well-executed plan necessarily covers all the bases an enterprise must take when a breach occurs. Effective deployment of that plan "positions the CISO as a strategic thinker who wants all the bases covered." That CISO is much more attractive to his employers than the one who goes ad hoc and figures he'll deal with breaches when they come.
In fact, the benefits of effective planning take a sort of goose-and-gander shape during and after a data breach. If CISOs do their jobs right, their superiors will understand that no security measure can fully prevent against the possibility — or inevitability — of an attack; as long as the security measures taken are stringent and the plan supporting them is thorough and executable, CISOs and their companies alike can take solace in knowing they took every possible precaution and were ready to take action when attackers came knocking.
For the company, that solace comes from being able to inform customers of all precautions taken. For the CISO, helping one's superiors understand what security is and isn't can be a huge relief alone; toss in the aforementioned career security and satisfaction of a job well done and you have something that makes sense professionally and personally.
Response plans aren't about building an impregnable defense; rather, they exist for the moment those defenses fall. The Forrester study covers how to start future-proofing your existing measures quite well — if you're ready to move forward with your own plan, reach out for help. Whatever your motivations, no matter how you measure success as a CISO, treating breaches as inevitabilities and acting accordingly is about as common sense as it gets.
For more information on preparing for security breaches, download Forrester's Planning for Failure report here.
Photo Source: Flickr