Tommi - Fotolia
As a corporate attorney for Lewis Roca Rothgerber LLP, Chris Pierson established the firm's cybersecurity practice and advised companies on incident response and recovery from high-profile breaches. With compromises on the rise, CISOs must take ownership of incident response planning and engage third parties to “show not tell” management about the business problems that can be avoided with due diligence, he says.
Pierson, who currently is the chief security officer, executive vice president and general counsel of Orlando, Fla.-based Viewpost IP Holdings, heads the company's cybersecurity and compliance programs. Pierson is an appointed member of the DHS Data Privacy and Integrity Advisory Committee and Cybersecurity Subcommittee and he is a distinguished fellow of the Ponemon Institute. He formerly served as the senior vice president and chief privacy officer for the Royal Bank of Scotland's U.S. banking operations, where he led its privacy and data protection program. We caught up with him last month to discuss ways to find and address gaps in incident response programs.
There's been a lot of discussion lately that CISOs will be judged by their incident response management rather than incident prevention, which is no longer a realistic goal. Do you agree with that premise?
Chris Pierson: I think it's even more broad than that. Companies are going to be judged by their response to incidents and issues that occur within the enterprise. The days of incidents not being a fact of life, especially not impacting every company at some point in time -- those days are gone.
Every company has issues and will have incidents and will have these challenges and these struggles. Really, what you are seeing in the marketplace is a pivot to more attention on incident response, investigative techniques and solutions that provide investigative capabilities, and there's more attention on planning so that these events are dimensioned through tabletop or live-fire exercises well ahead of time. So I think the entire company is going to be judged as well as the CISO, the CIO -- they will be playing more of a role -- but even legal and compliance have a lot to offer here [and] will be important to bring along as partners, as well.
What is the CISO's role in incident response, and is that role changing in your estimation?
That's a good question. I think they are the owners of the response. They may be partnering with the CIO, but at the end of the day all eyes are going to be on the CISO. What is it that we are doing? What do we know as of right now? What other information do we need? And, what resources are being brought to bear to analyze, access and make decisions about this item that is in front of us now and challenging our business? I think the CISO is the quarterback of the response from a technology perspective.
Their role is also a part of a broader team in terms of achieving success for the company. [CISOs] are not the individuals that would be typing up breach response letters, they are not necessarily the individuals that would be on the frontlines of PR communications; however, they are going to be strong constituents and strong collaborative partners with those other roles when an incident happens.
I would also like to stress -- this is critically important -- that all eyes, including those at the highest levels, are going to be on the CISO in terms of what people, internal and external, need to be brought in on the incident. It must be well dimensioned ahead of time. CISOs must know all of the components and people because they are leading the charge -- prior to any incident occurring -- on tabletop exercises. And this includes people who are involved in outside counsel and marketing and communications. CISOs really do need to be the glue that is holding this together in terms of preparation.
Is a CISO's role in incident response changing?
Chris Pierson, Viewpost
I think the answer is that it has changed. Previously, the CISO was going to be the one responsible for providing technology advice and guidance on what has happened: How do we remediate? They were responsible for rationalizing those aspects of things.
The role has changed in two key areas. First, in terms of the preplanning, they are being looked at in terms of knowing what players need to be at the table and making sure that this is done well ahead of time through tabletop exercises. Second, I think that the CISO is really, at the end of the day, the one who is partnering with compliance and with legal way ahead of time in terms of knowing what those roles are and playing a larger role on the team. It's no longer just the 1's and 0's of the corporation; those individuals must be informed and exact in terms of the rules and regulations that affect them.
How do you see the CISO's role in defining the scope of a security incident, particularly in terms of understanding the scope of the incident or underestimating the effects of the incident in front of management?
First and foremost, the CISO is responsible for making sure that everyone throughout the company knows what types of incidents are likely, how those incidents might play out and what has been prepositioned to rise to those challenges that occur. And, finally, what the roles and responsibilities are of all the other players -- I think that is critical.
The other aspect is making sure that there is some type of governance process [in place]. It could be something that is outside of the CISO or, even better yet, owned broadly by compliance, risk or legal. It's important to have all the stakeholders at the table to make sure that the executive level and senior members of the company all have the knowledge of breaches and what might occur. And [to be sure] that everyone is comfortable and has bought into the potential responses so that when something happens, there isn't a lot of confusion, time wasted and good will expended because of not being organized. I think that's really critical in terms of areas that a CISO needs to pay attention to.
How do you justify the time to prepare for incident response? And who should be involved in this planning, especially when the chief executive says, 'We don't want any incidents here.'?
That right there is a phenomenal question -- getting the organization on board. And, it doesn't really matter what the size of the organization is, either. The key that the CISO has to worry about is having everyone understand what their roles are and how it is going to affect the company and weaving this into business objectives. There must be some broader business justification for the time, for the resources, for the money that is involved in preplanning and then ultimately responding to the incident.
I will tell you this, preparing from a business perspective in terms of protecting good will and protecting branding and protecting trust at the customer can be more readily achieved by preplanning incidents. [That means] preplanning for when things go wrong and assembling the right team -- one that knows how to work together, knows what the rules and responsibilities are -- and an executive that understands this can go a long way toward protecting the operations of the company. That [approach] is what is going to get the company to success. That is what is going to save money in the long run by not having a lot of missteps and negative impact on the brand or position of the company.
During a presentation at RSA earlier this year, you mentioned the Department of Homeland Security's cybersecurity evaluation program and discussed some of the ways to 'show not tell' management about the business problems. Can you elaborate on some of that?
One of the key leadership aspects of the CISO is to make sure that you are showing not telling the executives and even the board of the company about the risks that are present, about what you are doing to combat those risks and even the lifecycle of those risks and how they impact your company. One great way to do that is by having third parties engage with the company, whether they are external auditors or external security professionals, it doesn't matter.
One great tool is the DHS C3 (Critical Infrastructure Cyber Community C3 Voluntary Program) initiative, which is a way that DHS can come in as a partnership and help rate your organization across the spectrum of information security infrastructure and other technologies in terms of risk and tell you in terms of the NIST cybersecurity framework and other standards where you might rank and provide that information to you. They also provide a lot of documentation on how you might want to close gaps, if there are gaps in your organization, or achieve clarity on any of the items that are present.
Or you can do it yourself. About a year ago, February 2014, this program was opened up for individuals to use on their own. So it can be brought into any size organization regardless of cost or expertise and be used as a way to really risk rate and map your organization. It is a phenomenal tool, one that I hope everybody knows about or is considering utilizing.
How often should companies review their incident response plans? The general rule used to be annually, or something along those lines. Has that changed?
I think it really has changed. The absolute latest that an incident response plan should be reviewed is once a year. With all material new risks or new threat vectors affecting a company, the incident response program should also be supplemented and reviewed.
So if you are a retail company that is dependent on point-of-sale terminal devices and had access to the breach information of about a year ago, your organization should not have waited for an annual review. You should have reviewed your incident response plan to see how it would fare so that you are well positioned to pivot to any future challenge in information security.
About the author:
Kathleen Richards is the features editor of Information Security magazine. Follow her on Twitter @RichardsKath.