Being a CISO is a tough gig. The perpetual deluge of news items on hack after hack, breach after breach, has finally conveyed that data security is an imperative for all companies, large and small. But the perception still lingers that the Chief Information Security Officer (or the InfoSec team) will single-handedly prevent breaches at “our” company – and if one should occur, will take care of the response. For some CISOs, it may feel like High Noon, all over again.
This is unfair to the CISO, and wrong on at least two counts. First, regardless of the CISO’s job description, the full range of cyber risk exceeds the scope of the CISO’s practical control. Second, effective breach response requires up to ten channels of coordinated activity, and nine of the ten fall outside of the CISO’s authority.
Your Attack Surface Exceeds Your CISO’s Reach
Your CISO or InfoSec team has a full-time job focusing on technical security for your company’s systems. But what about safeguarding the information you entrust to service providers and other third parties? Selection and oversight of service providers are important, yet at its core, service provider security is governed by contracts – such as the master services agreement, or a data security addendum, or a business associate agreement for HIPAA business associates or subcontractors. The CISO should be involved in identifying the issues to be addressed in such contracts, but Legal must take the lead, because fundamentally, this is contract lawyering. Similarly, the CISO may be involved in determining what practical risks should be addressed through cyber insurance procured by the service provider, but Risk Management/Legal must take the lead in framing contractual requirements for service providers’ insurance coverage.
And what about managing human security vulnerabilities of the workforce? The 2016 Verizon Data Security Investigations Report confirms that privilege misuse remains a significant problem, responsible for 16% of the more than the sixty-four thousand security incidents analyzed in the DBIR. And phishing attacks featured prominently in 40% of the DBIR’s breaches. Sure, the CISO should be integrally involved in workforce awareness and vigilance initiatives, yet HR must take at least a co-lead on workforce security training and policy enforcement. And at the end of the day, people will be people – such behavioral risks can be managed, but will never be eliminated.
Breach Response Requires Multi-Disciplinary Coordination Beyond Your CISO’s Authority
Your company’s IT function likely has several important elements already in place for detecting and managing routine data security incidents. Larger companies will have a Security Operations Center (SOC) within their IT function, which commonly uses a Security Information and Event Management (SIEM) tool to detect and evaluate network intrusions. Companies may also have a Computer Security Incident Response Team (CSIRT or CIRT), usually with IT InfoSec leadership, focused on computer security tasks for incident response, including detect, evaluate, contain, eradicate, and restore activities.
Breach response, however, involves far more than security incident response. Though vitally important, the IT security capabilities for incident response mentioned above are typically neither intended nor sufficient to manage the other nine activity channels that must be coordinated for effective response to actual breaches:
- Legal: conduct fact-finding, analyze breach response and notification requirements and exceptions, contract with response service providers, and determine whether and when to issue a legal hold;
- Forensic: engage third-party to investigate in a forensically sound manner, collect and preserve logs and other data, and make findings on means, methods, extent of affected systems and devices, and timeframes;
- Law Enforcement: determine whether, when, and how to notify which branch of law enforcement, and coordinate access, information-sharing, and the overall investigation;
- Regulators: determine whether, when, and how to notify which regulators, and coordinate ensuing inquiries, information-sharing, and repercussions;
- Insurance Coverage: evaluate existing coverage under traditional and cyber policies, determine when and how to notify insurers, ensure use of approved response service providers, coordinate information-sharing, and document response costs and activities as required for coverage;
- Public Relations: determine the communications plan, execute the plan, and anticipate and handle the unexpected;
- Stakeholders: timely brief, escalate, and update internal management and Board stakeholders, and coordinate appropriate communications with business partners and other key stakeholders;
- Notifications: as appropriate, engage a notification service provider, identify whom and how to notify, determine the need for call center support, decide whether and what credit monitoring and fraud resolution services to provide, and stage, test, and deploy breach notifications.
- Personnel Management: determine employee involvement and any policy violations, act on appropriate employee counseling or discipline, and communicate as appropriate with the workforce.
No CISO or InfoSec team can reasonably be expected to get all of this done. Effective breach response demands a multi-disciplinary team effort. And it also requires advance preparation. The various breach response activities overlap and entwine, and they must be coordinated to keep the response effort coherent and timely, as the response clock ticks. Also, if you wait until an actual breach to locate and vet alternative forensics firms, notification providers, and other response service providers, you’ll lose valuable time, along with surrendering your bargaining power in those engagements.
As Joe Demarest of the FBI Cyber Division succinctly put it back in 2014, “You’re going to be hacked. Have a plan.” Yes, your CISO or InfoSec team already has an Incident Response Plan for handling their IT Security detect/evaluate/contain/eradicate/restore tasks. But your organization also needs a Critical Incident Response Plan for coordinating all ten activity channels for those critical security incidents that may require actual breach response.
And where have we heard this before – an information-related, compliance and risk management imperative for the organization, which requires a coordinated, multidisciplinary, silo-busting strategy for effective response? You guessed it. Information Governance.