Breaches happen; of course they do. Over the years I have seen organizations suffer both internal and external attacks – from naive misuse of computer systems or contraventions of what constitutes acceptable use, right up to fully fledged attempts at data hacking, fraud or extortion.
Sometimes CIOs respond quickly and effectively, accepting responsibility and taking immediate steps to ensure the lightning doesn’t strike twice. Equally they, and their executive peers, can follow a version of the four stages of trauma before acting. That is, moving from denial to anger, and then bargaining before reaching a level of acceptance.
They’re not denying a breach has happened of course. What I often see, however, are organizations acting (or trying to act) as if there was nothing more to be done. “We had preventative measures in place. Could have happened to anyone,” is often the attitude. The answer is that not every breach can be prevented, particularly given how complex IT has become.
When the dust fails to settle, the anger sets in. A realization that the knock-on effects are going to be more profound that expected — that regulators (or indeed, customers) need to be informed, that disciplinary action really does need to be taken, that worst of all, money has been lost or needs to be spent. Such realities start to focus the corporate consciousness.
At this point, many conversations turn to bargaining — in a nutshell, “How much will it cost to put things right?” Questions about whether the scenario could have been avoided turn to proposals for improvements: these sometimes involve security products but equally aim at softer targets, such as funding for better operator training for administrators or improving staff awareness.
Acceptance can quickly follow. For security professionals a common scenario is for budget to become magically available in a matter of days or weeks following a security incident. While this is frustrating, it can also result in a feeling of blessed relief from the security team, as a much-needed capability finally gains the attention it deserves.
Does this sound familiar at all? The bottom line is, CIOs need to accept their company will be breached and shift their security strategy from ‘breach prevention’ to ‘breach acceptance’. This means deploying mechanisms and procedures to deal with the consequences of breaches as well as pre-emptive measures — for example by securing the data itself, whether it’s in the cloud, virtual, hybrid or mobile environments, rather than relying on access mechanisms.
In the meantime a broader, corporate attitude of responsiveness goes a long way towards keeping risks in check and reducing the potential for damage. This may be vested in an individual such as a CSO or security manager, but sharing such a perspective across the executive team is the best way to prevent the stages of breach trauma from getting in the way of an appropriate response.
For more about the breach acceptance stage and how to prepare for a breach, check out securethebreach.com.