Organizations need to conduct to an impact assessment, root cause analysis and post-incident review to understand the impact of a security incident.
By Steve Durbin
One of the primary aims of information security is to prevent incidents. However, it is nearly impossible for organizations to completely avoid serious incidents, and while many are good at incident management, fewer organizations have a mature, structured approach for analyzing what went wrong. As a result, they're incurring unnecessary costs and accepting inappropriate risks.
Despite our best efforts, not all incidents can be prevented. Today, businesses need mature incident management capabilities. Without a proper impact assessment, businesses don't know the incremental, long-term or intangible costs of an incident. But those costs still affect the organization’s bottom line. Because it's crucial to manage incidents well, many organizations understandably focus on incident or crisis management and returning to business as usual. Post-incident review is often neglected, viewed as a costly burden and considered a distraction.
This is a mistake!
Incident management alone is ineffective. It must be selectively accompanied by post-incident review. A complete incident management process can continuously improve information security, decrease the likelihood of future incidents, increase resilience and reduce impact.
A View From the Top
C-level executives across the board are now tasked with managing security risks. Unfortunately, most IT business decision-makers are not dealing with daily catastrophes but with creating a stable environment to reduce risk and its associated costs. While a security breach can get immediate attention from the board of directors, the infrastructure and systems needed to recover from and prevent another devastating hit are not exactly boardroom fare. That's for the trenches, right? Wrong!
Organizations have limited resources that are prioritized to areas of greatest need or return. Without knowing the cost of potential incidents, organizations will misdirect resources, fix symptoms instead of causes and not spend money where it's needed to mitigate a major incident in waiting. Also, most organizations have a limited appetite for investigating incidents due to the understandable desire to return to business as usual. However, this means they miss valuable learning opportunities.
A thorough understanding of what happened and why is necessary to properly understand and respond to underlying risks; this is needed by all members of the organization’s board of directors. Without it, risk analyses and resulting decisions may be flawed, leading organizations to assume greater risk than they intended.
Threats and Risks
Broadly speaking, a security incident occurs for one of two reasons. Either it's a risk that the organization previously decided to accept or it's due to gaps or deficiencies in the organization’s response.
Being universal, threats are the genesis of all incidents. They include targeted attacks by malicious insiders and external parties, service and system interruptions, human error, and natural disasters. While it is not economical or possible to prevent all incidents, businesses can decrease the likelihood and impact of risks by possessing a solid understanding of current and future threats.
While threats are universal, the risk they pose is specific and contextual depending on the existing vulnerabilities. A threat can present a different level of risk to an organization depending on the vulnerabilities that result from a multitude of factors, such as the organization's industry, geography, capabilities and controls. Evaluating threats and assessing risks should be a standard element of every organization's risk management processes.
Risks can be accepted, mitigated, transferred or avoided. Not all threats can be identified, not all risks can be mitigated and some risks are accepted; therefore, organizations need to have a defined and well-exercised incident management process.