olly - Fotolia
In the event of a data breach, enterprises tend to have a high executive turnover rate, which concerns me as a CISO. What are some ways to help ensure that I respond to an incident properly and avoid executive turnover?
There were more than a dozen major data breaches exposed in the month of November 2014 alone, including the Sony Pictures hack and an attack on the U.S. State Department.
The annual Cost of Data Breach Study independently conducted by Ponemon Institute and sponsored by IBM polled more than 250 organizations from 11 countries that participated in the 2014 study, including the U.S. The study stated the average cost to a company was $3.5 million in U.S. dollars and 15% more than what it cost last year.
Breaches are on the rise and so is the average cost per breach. But how does this affect the CISO's tenure? First, let it be understood that there is no such thing as absolute security. The mentality today is not whether an enterprise will be breached, but when.
Consider stolen cars. If some malcontent wants your car and if he is good at his trade, he will undoubtedly steal it. But when you put in a claim with your insurance company, they will want to know the circumstances of the theft, whether you informed proper law enforcement, whether you had reasonable controls in place, like if it was locked, had an alarm system, nothing of value was in plain sight and whether you had a LoJack or some other type of tracking device. If they find that you did not sufficiently mitigate the risk of your car being stolen, there will be a question whether your insurance company will cover its replacement.
The same applies for an enterprise IT environment. Chief information security officers need to deploy due care for the protection of critical information assets, but that is not enough. CISOs need to establish a sound incident response plan (IRP) and periodically test it. The IRP should be based on industry accepted incident response methodologies such as NIST 800-61. Once the IRP has been completed and approved by management, it needs to be tested at least annually using tabletop scenario exercises that include staff from IT, computer operations, information security, key business staff, HR, public relations and executive management. These tests then need to be reported formally to executive management showing the results and lessons learned from the IRP test.
The key to keeping your job as a CISO is communication and demonstration of incident handling in the event of a breach or other incidents that affect the company's ability to maintain proper security and mitigate risk. CISOs who perform their job duties in a vacuum and rarely speak or teach executives on the elements of information security or incident handling will find their job tenure in jeopardy when a real incident occurs.
Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)
What's behind the growing trend of CISOs leaving their jobs? One of our experts explains.
Dig Deeper on Information Security Incident Response-Information
Related Q&A from Mike O. Villegas
As ransomware continues to surge, companies are faced with decisions to report the attacks, pay the ransom or both. Experts weigh in on the options ... Continue Reading
A social media security policy is necessary for most enterprises today. Expert Mike O. Villegas discusses what should be included in social media ... Continue Reading
A cybersecurity training center could help security professionals continue their education, but are the benefits worth the investment for enterprises... Continue Reading