Friday, May 9, 2014
Cyber Incident Management
I came away from that session thinking that even seasoned professionals, in a field where we have a dearth of candidates for actual posted jobs, are still thinking in hierarchies and processes that are not real time where cyber is concerned. The best possible scenario, at least in my view, would be for there to be a cyber incident response team that worked on the ground up until a point when a trigger (cost, additional resources, reputation, media) kicked the questions that applied up to the regular crisis management team to handle while they kept working on the ground. Target is a good example of a company that could benefit from this type of streamlining, now that they have shed both CEO and CIO, and become the target of a range of lawsuits. That corporate sloppiness is going to cost them millions before they are through this problem -- and I would doubt that their insurance company will be paying out against any of the loss, given that their security team ignored alerts about compromises of their systems.
Yesterday, I had the privilege of hosting former Seattle CISO Mike Hamilton in my advanced risk course.Through examples and out of his years of experience, he made clear to students that firms can avoid financial loss from cyber attacks only if they employ state-of-the-art monitoring (and then pay attention to what the alerts say); and by developing a "rapid-response capability," using on the ground data collectors like help desks and ticketing systems to escalate incidents. He suggested that key metrics any firm could invest in would be time to incident close, cost per incident, and incident frequency.
Two thought-provoking takes on the state of the union where cyber is concerned. I'll get a third perspective later this month from Aaron Weller, head of PwC's information security practice here in Seattle, when he visits the same class. Along the way, before they here Aaron, they'll hear from Microsoft security chief Mike Howard, who'll describe the global reach of his organization as well as Mary Gardner, head of information security at Fred Hutchinson Cancer Research Center.
Though security isn't the only area of risk we focus on in this course, it's certainly central to many of our discussions.