I've seen two separate approaches taken to data breach remediation recently. On the one hand, Target's CEO at the...
time of the breach had been very forthright and the company has been actively communicating with affected customers since the breach was discovered. On the other hand, Neiman Marcus CEO Karen Katz waited several days to issue a public statement after rumors of her company's breach were confirmed. In general, how would you, as a CISO, advise a CEO to handle a breach publicly? Is there anything to be learned from these two examples?
There are several factors that contribute to how quickly a company can report a data breach that must be taken into account when comparing these two incidents. The circumstances of each data breach are unique, so it isn't fair to compare or scrutinize company responses without firsthand knowledge of each incident. Neiman Marcus may not have had all of the information needed to go public, for example. The accuracy of what is reported to the public is just as important as the timeliness of the report. It can be time-consuming to identify the point of entry and the number of records or devices that have been compromised. Law enforcement may require a delay in notification until they have more information about the perpetrators as well.
The unfortunate modern-day reality is that there is a good chance a data breach will occur. It is naive for an organization to operate in the mind-set that its systems are impenetrable and that all its data is always completely protected, because it is an ever-changing risk environment. The best-prepared organizations have accepted this new reality and developed formal incident response plans for when a data breach does occur.
A well-thought-out incident response plan is critical to an organization's ability to navigate through all of the actions required during a security incident. The incident response plan should guide the organization through each phase of responding to a data breach, including discovery, investigation, mitigation, communication and prosecution. It should have roles defined for each member of the incident response team, including oversight, public relations, finance and technical teams. These roles will allow the organization to respond as quickly and as accurately as possible given the wide variation of potential data breach incidents.
There are too many factors that play into how quickly an organization communicates a data breach to the public to make comparisons between responses. The best-prepared organizations use an incident response plan as their playbook during a data breach investigation. I would rather judge an organization by how well its incident response plan helped it through the incident than the time it takes to report the incident. The organizations that deserve further scrutiny are those that are ignoring the reality of the modern threat environment and have no incident response plan in place.
Ask the Expert
Have questions about enterprise security management? Send them via email today! (All questions are anonymous.)
Learn how to create a data breach response plan in just a few quick steps!
Dig Deeper on Information Security Incident Response-Information
Related Q&A from Joseph Granneman
The consequences of phishing attacks could fall on the victims as enterprises start to punish employees who fall for this age-old scam. Expert Joseph... Continue Reading
CERT's ITPM certification is designed to help enterprises with their insider threat programs. Expert Joseph Granneman discusses the certification and... Continue Reading
Privileged users pose a growing threat to organizations. Expert Joseph Granneman looks at this insider threat and shares ways to mitigate it. Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.