Information Security

Defending the digital infrastructure

Tommi - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Security incident handling: Prepare to find answers

CISOs work in stressful scenarios. Before you face executives armed with questions about security incident handling, it's time to formulate some of your own.

Never be afraid to ask a question is the well-trodden mantra of journalists everywhere. But it may surprise you to know astronomer Carl Sagan is among those credited with the axiom:

"There are naive questions, tedious questions, ill-phrased questions, questions put after inadequate self-criticism. But every question is a cry to understand the world. There is no such thing as a dumb question," the Pulitzer Prize-winning author wrote in his book The Demon-Haunted World: Science as a Candle in the Dark.

CISOs often find themselves in stressful scenarios, where clear communication about security incident handling can result in better decision-making. As the "unofficial" leader of the path forward in a potentially damaging security incident, is it safe to assume that all servers were patched as directed? That no files were transferred to and from the systems? The answer is probably no.

We explore security incident handling and some of the gaps that organizations and technology vendors are attempting to address in this month's cover story. Time to respond is a big one. NCR product management director Lenny Zeltser, who is well known for his work in antimalware and digital forensics, advises those tasked with security incident handling to have specific questions ready in advance to quickly gain control of the incident and response.

Finding vulnerabilities takes some skill, but experience and resources play a part, too. A December 2015 study found that, while 77% of the 200 U.S. security professionals surveyed indicated that their organizations had the tools to fight malware, those with a CISO or CSO function had a higher confidence level. Moreover, 94% of the companies with CISOs had dedicated incident response teams or security operations centers, compared with 48% of organizations without a chief of security.

More companies, beyond high tech, are also reaching out to the security research community at large for help with finding and fixing vulnerabilities. General Motors launched a vulnerability disclosure program in January, minus the monetary rewards.

Invitation-only bug bounty programs are also on the rise. We explore the risks and "rewards" of bug bounty programs in "Inside the Minds of Big Bounty Researchers."

Crowdsourcing and the role of researchers are both hot topics at RSA Conference 2016 (perhaps its last hurrah), as the hills of San Francisco welcome thousands of security professionals this week. Ironically, the area around the Moscone Center is notorious for credit card fraud and ID theft. (I should know—it happened to me.) Former guests of one Nob Hill hotel warned other travelers recently about employees who appeared to be skimming credit cards. Of course, the hotel, while admitting there was an issue related to unapproved charges, blamed it on buggy software.

Article 4 of 5

Next Steps

When to call emergency incident response providers 

The CISO's role in incident response 

NIST incident response guidelines updated

This was last published in March 2016

Dig Deeper on Information Security Incident Response-Information

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

What is the CISO's role in incident response? Is it changing?

The CISO's role is one of communicator, collaborator and motivator.  The CISO should be aware of all activities occurring, have update meetings as warranted, but allow the Incident Response Team the latitude and independence to perform the functions that he hired them for - utilize the expertise they have.  This is not always easy as the CISO may have been the Incident Response Manager previously, but the CISO needs to be managing senior leadership and the oversight bodies of the agency or company.  CISO efforts at delivering understandable status reports and impact assessments are key to keeping the response team moving forward.  CISO collaboration with other business stakeholders to address the impact of the event and how recovery will occur and possible timelines for full return to operations.  The CISO role as a motivator cannot be overstated.  Many will look to the CISO for a "feel" for the significance of the event and how recovery is progressing.  Response staff needs to know the CISO is supportive and is aware of their needs and limitations.

The role is changing - to a communicator, collaborator and motivator, not just as a technologist and repairman.


Get More Information Security

Access to all of our back issues View All