I recently had a conversation with a friend who told me that the company he works for (a large, well-known company) was changing its security posture. In the past, this company--like most--focused its security efforts around threat mitigation. In other words, the organization worked diligently to keep abreast of any potential security threats and then develop countermeasures. Now--after taking the position that, despite best efforts, it will inevitably suffer a breach--the company is working on security breach contingency planning.
This company has not given up on threat mitigation. Indeed, it remains committed to doing whatever it can to prevent a breach from occurring. But its new security posture is an acknowledgment of the rather unpleasant idea that an organization is statistically very likely to suffer a security breach--and that having a plan in place when such a breach does happen is essential for a quick and resilient recovery.
This reminds me of a parallel in a different context. Since 2015, I have been training to fly on a commercial space mission. In doing so, I have been taught that space hardware is highly complex, and that certain types of failures can easily lead to a loss of life. That being the case, the vast majority of my training has been aimed at contingency planning--teaching me what to do if I suddenly find myself in a bad situation.
Even though an IT security breach probably isn’t going to be life threatening, it could threaten the life of the business. And, just as the contingency-based training that I have received in preparation for my eventual trip to space will help me deal with any problems I might encounter, contingency planning will help companies deal with any of the issues they will likely encounter after a security breach.
Think about it: Security breaches create a great deal of stress. When you are stressed, you don’t tend to think as clearly as you otherwise would, and it can be easy to momentarily forget about critical tasks. For example, some organizations are legally obligated to inform the authorities when a breach is discovered. It can be easy to get caught up in the moment--focusing on reviewing logs and IT related tasks--and overlook this necessary step.
Another reason why it is a good idea to have a breach response plan in place is that security breaches are expensive, and the total cost of dealing with the breach is closely tied to the speed and effectiveness of the response. It is clearly in an organization’s financial best interest to take immediate measures to limit the scope of the damage. Having a well-developed plan in place can help an organization respond to an incident in the most effective way possible, thereby limiting financial losses.
Finally, the process of developing a breach response plan can actually improve an organization’s security. As an organization develops such a plan, its IT staff is forced to consider all of the various ways that a security breach might potentially occur. This process can help an organization identify areas in which its cyber defenses are not as strong as they need to be. Assuming that the organization takes the initiative to act on such revelations, the organization’s security will be improved and a future breach might even be prevented.