The CISO’s guide to security incident response

If you’ve ever had a bad dream about work, you know how frustrating and emotionally draining it can be. It usually involves a normal situation that you face regularly, but something goes wrong, and you can’t fix it right away. In the dream, you might be running late to the office, or missing a meeting, or hearing bad news that you’re powerless to stop. When you wake up, you likely shake the dream off and start your day, hoping it doesn’t actually occur in waking life.

Ask security pros and CISOs about their work-related dreams (or nightmares) and you might hear tales about:

  • Suffering a data breach, but not realizing until sensitive data is in the hands of a malicious party;
  • Calculating the company’s risk posture, only to learn that it has no way to learn exactly what it’s storing; or
  • Going to sleep with news of the latest high-profile security incident, and waking up to find your company is one of the organizations that was hit the hardest.

What should CISOs do when their nightmares come true? Below are the top five ways every security pro can quickly get a handle on an incident response situation and protect customers from the earliest onset of a breach:

1. Treat the situation like what it really is: a crime.

Before a data breach affects your team, create a defined and documented procedure for preserving evidence and tracking the chain of custody for sensitive data. Depending on the type of crime and level of data exposure, law enforcement officials may need to get involved, and you must prepare to brief them as comprehensively as possible. Laying out such processes will help your team spring into action following a security incident.

2. Know where your sensitive data resides and who has access to it.

Every organization should be tracking user access trends and conducting internal audits to learn more about the makeup and location of its data. Even if you can’t access this level of detail, compare the state of your stored data to recent backups to identify changes, and review the access rights for sensitive folders. Would a contractor, part-time employee or dedicated third party have been able to modify your critical information?

3. Make your way through an established list of emergency contacts.

For the same reason your kitchen might have a magnet or notebook page that lists local emergency numbers, in the event of a data breach, your company should begin contacting priority first responders. Every CISO should have an incident response program in place that details who should be called in, who should be notified, and what procedures the responders should perform. This often comprises multidisciplinary teams from IT, security, and the executive team – each with a specific role and responsibility in the face of an incident.

4. Divide your team, and hold down the fort.

Some of your staff members will be most valuable if they cease daily activities and help the organization respond to the incident. Different issues will demand attention from different team members. For example, a data exposure of murky origins and a clear DDoS attack will have different protocols for response. However, during the remediation period, other team members will need to stick with their usual responsibilities and help the business continue serving its customers. As a CISO, don’t hesitate to suggest these assignments and ensure that roles and responsibilities are clearly documented and regularly updated.

5. Don’t forget your previous mistakes – or how you can learn from them.

Security incident response situations are bound to be stressful. Your team is operating at top speed, and even minor actions can have major consequences if they’re not approached mindfully. As you rush to secure your data and communicate updates to your network, revisit similar situations from the past. Learn from your mistakes and any hypothetical exercises you might have considered, and consider how you can refine processes for the future. After all, it’s unlikely that any security incident will be your last.

For more security incident response tips, subscribe to the DataGravity newsletter.

  Like This
Andrew Hay

Andrew Hay

With over 15 years of data security experience in various roles inside organizations as well as advising them, Andrew serves as the chief information security officer at DataGravity. He is responsible for the development and delivery of the company’s comprehensive data security strategy. Prior to DataGravity, Andrew was the director of research at OpenDNS (acquired by Cisco) and the director of applied security research and chief evangelist at CloudPassage.