Data Breach Digest: Going for the gold in data breach incident response
As I watched the Summer Olympics over the last month, I was inspired by the hard work, preparation and dedication of the amazing athletes from around the world all looking to achieve the highest prize in sports – the gold medal. From the impressive performance of the United States women’s gymnastics team to the men’s basketball team’s continued dominance, there were no shortage of great performances at this year’s Games.
Watching the Games got me thinking about what security incident response teams can learn from these athletes and teams. Several of the key qualities of Olympians are very similar to what those on a strong data breach response team should have. While we can’t all be elite athletes, we can strive to be elite incident responders, capable of mitigating the major reputational and financial impacts that a mega breach can have on an organization.
The following are key attributes of successful Olympic athletes that I think every response team can learn from and apply to their efforts.
Have a Game Plan and Perfect Your Craft
Competing at the Olympics is the culmination of a lot of preparation and practice. From extensive training regiments to developing the perfect back handspring and devising the right strategies on the court to beat the best teams in the world, athletes must prepare and train to succeed.
It’s similarly important for data breach response teams to have a well-documented strategy for managing the variety of data breach and security incidents they may face. Having a strong incident response plan in place and team that understands how to execute plans for a variety of breach situations is key to the response process. This means not only creating but also regularly reviewing and updating response plans to account for the latest threats as your opponents (hackers in this case) continue to change their tactics.
Equally as important is thinking about effective incident response as a craft that requires regular testing and readiness. This means regularly practicing incident response plans under as realistic circumstances as possible. Truly pressure testing the team will help ensure that when the big issue comes, the team will be able to effectively execute plans.
For those looking to jumpstart their planning, Experian offers and regularly updates a free incident response guide to help.
Work With the Best Coach and Trainers
While the athletes are the ones who get the spotlight, many credit their success to the coaches and trainers they work with daily. The best Olympic teams are made better by having strong leaders to help them navigate this very high-stakes moment. Often these coaches were once Olympic medalists themselves and are able to instill their experience to help the team perform at its best.
Likewise, having the right team of outside experts supporting internal incident response teams is key to successfully managing an incident. This includes what is often known as a “breach coach” from an outside law firm who can help direct the investigation into the incident and ensure that the team is taking all the right steps to address the many activities that need to go in to successfully managing an incident. When combined with strong communications, forensics and data breach resolution experts, companies will be able to effectively manage even the most challenging incidents.
Similar to the relationship between a coach and team, chemistry is important in incident response. It’s essential that companies identify and meet with their outside team ahead of an incident to ensure smooth collaboration.
Teamwork is Key
Each person on an Olympic team brings his or her own unique strengths to the table. The U.S. basketball team wouldn’t win with five forwards on the court, even if they were the very best in the world. In incident response, the sum needs to be more than the parts and the ability to leverage the strengths of each team member during an incident is vital for overall success. Along with identifying the core response team, recruiting other “utility players” who can help a response go well is also important. For example, having a strong program manager in place to help the incident response leader track progress is an important role that is often not incorporated into incident response plans but can take a starring role during an incident.
Equally as important is communicating across the various responsibilities of incident response functions. Key to this process is the forensics team regularly sharing updates on what is known and unknown throughout the technical investigation into the incident. This information is vital to making key decisions about when to disclose and what information to share publically. Establishing a regular cadence of meetings during an incident and encouraging open lines of communications between functions is key to success.
Poise Under Pressure
Similar to a make or break Olympic moment, a data breach is a high-stress activity that requires poise under extreme pressure to make the right decisions and execute. Having a plan and strong team are important building blocks to an effective response, but they will fall apart if the response team doesn’t stay calm under the pressure that tends to come from all sides during a multi-million record security incident. Be it regulators asking tough questions about security practices, media demanding more information than the company is willing to disclose, or customers outraged that their information was lost, there are no shortage of pressures that can distract a team. It’s important that all of the issues that come up during a major incident are carefully and methodically addressed by the team and not reacted to in a knee-jerk fashion.
A related attribute that is important is the need for the team to remain agile and able to adjust tactics based on what’s happening with an incident. What’s known about a security incident in the first 48 hours is much different than in the first two weeks. An issue that appears to be small or contained can often balloon into a mega-breach upon further inspection, which requires a change in tactics. The opposite is also true, and again, will require the team to change plans quickly.
While security teams may never receive the glory that Olympic athletes receive, there is no doubt that following many of the same principles will lead to a gold medal performance during an incident that can save a company’s reputation and position in the market.
About the Author: Michael Bruemmer, CHC, CIPP/US, is vice president with the Experian Data Breach Resolution group. With more than 25 years in the industry, Bruemmer brings a wealth of knowledge related to business operations and development in the identity theft and fraud resolution space where he has educated businesses of all sizes and sectors through pre-breach and breach response planning and delivery, including notification, call center and identity protection services. Bruemmer currently resides on the Ponemon Responsible Information Management (RIM) Board, the International Security Management Group (ISMG) Editorial Advisory Board and the International Association of Privacy Professionals (IAPP) Certification Advisory Board. He can be reached at [email protected].