4. Adopt a post-breach mindset: from prevention to cure
A caveat to all advice concerning the prevention of a breach (here and elsewhere) should be that – whatever lengths you go to in order to educate your organization, and however much you invest in security – with the average enterprise fielding over 4,000 attacks per day, and the average employee at any of these enterprises being (after all) a human being, a breach will remain an inevitability.
It is perhaps at this critical moment, with a successful breach underway, that an organization with siloed Security and Operations teams suffers most.
At this point, the preceding lack of collaboration and communication in a siloed organization naturally spills into the crisis. All too often, we see siloed organizations waste the opportunity to make a significant positive difference to a breach’s final bill of damage by bickering, playing the blame game, and generally sticking their heads deep into the sand.
What could they be doing instead? Well, according to the Ponemon Institute, organizations able to contain a breach to within thirty days will save a million dollars as opposed to those that don’t. And with the right SecOps alignment in place, organizations can expect to respond much, much quicker than one month!
The stakes are hardly small, and in some circumstances, could spell the difference between your organization’s survival and extinction.
What are the main three steps that you need to do?
Security and Operations need to form a collective plan
The opposite of passing the buck, of course, is having a shared, crystal-clear understanding of precisely what your responsibilities are in a crisis scenario. These will inevitably involve Security and Operations teams having to work together. In most organizations, the dynamic is often the same as in vulnerabilities – Security identifies, Operations remediates.
The organization must empower Operations to react
Once the organization acknowledges the importance of the collaborative model, it will quickly become clear what Operations requires in order to react to a breach. It can ultimately be reduced down to those three core capabilities: Actionable Visibility (so they can see where the attack is taking place), Automation (so they can effortlessly extend the fix) and Real-time Response (so they can react quickly).
Of these, speed is increasingly celebrated by forward-thinking CIOs such as Signify CIO Kurt De Ruwe “Viruses and phishing attacks happen in the moment, so you need to be able to react quickly. There was a time when it OK to wait a week, two weeks before having the information, but today, real-time information makes all the difference.”
Extend funding to encompass a cure (as well as prevention)
We hear all the time in medicine about the priority of prevention over cure. In IT Security, a degree of reversal is taking place. It follows naturally that with a shift in mindset a shift or expansion of funding will follow.