Friday, May 9, 2014

Cyber Incident Management

When I was in New Orleans last month at the Continuity Insights conference, I heard Steven Ross from Risk Masters make a presentation titled "Cyber Attacks: Myth and Reality."  Ross has been doing this work for a long time, and much of his talk covered sensible risk management against possible cyber threats.  He hooked me into the discussion once he suggested we get rid of the myth that business continuity and information security are two distinct groups.  Then he backed up and proposed a special crisis management team for cyber.  I was not enchanted with this notion, since the more teams created, the more the confusion reigns about who is in charge.  His proposed team looked a lot like what the standard crisis management team would look like in environments where I am charged with streamlining business processes and corporate functions.  One of his justifications for the creation of a special team was that a crisis management team that usually focused on traditional recovery methods like redundant data centers just wouldn't work for cyber, because it is likely that the software will be infected in both locations.

I came away from that session thinking that even seasoned professionals, in a field where we have a dearth of candidates for actual posted jobs, are still thinking in hierarchies and processes that are not real time where cyber is concerned.  The best possible scenario, at least in my view, would be for there to be a cyber incident response team that worked on the ground up until a point when a trigger (cost, additional resources, reputation, media) kicked the questions that applied up to the regular crisis management team to handle while they kept working on the ground.  Target is a good example of a company that could benefit from this type of streamlining, now that they have shed both CEO and CIO, and become the target of a range of lawsuits.  That corporate sloppiness is going to cost them millions before they are through this problem -- and I would doubt that their insurance company will be paying out against any of the loss, given that their security team ignored alerts about compromises of their systems.

Yesterday, I had the privilege of hosting former Seattle CISO Mike Hamilton in my advanced risk course.Through examples and out of his years of experience,  he made clear to students that firms can avoid financial loss from cyber attacks only if they employ state-of-the-art monitoring (and then pay attention to what the alerts say); and by developing a "rapid-response capability," using on the ground data collectors like help desks and ticketing systems to escalate incidents.  He suggested that key metrics any firm could invest in would be time to incident close, cost per incident,  and incident frequency.

Two thought-provoking takes on the state of the union where cyber is concerned.  I'll get a third perspective later this month from Aaron Weller, head of PwC's information security practice here in Seattle, when he visits the same class.  Along the way, before they here Aaron, they'll hear from Microsoft security chief Mike Howard, who'll describe the global reach of his organization as well as Mary Gardner, head of information security at Fred Hutchinson Cancer Research Center.

Though security isn't the only area of risk we focus on in this course, it's certainly central to many of our discussions.