Last year’s Notifiable Data Breach (NDB) scheme forced nearly every Australian business to consider how it would respond to a data breach – and, by all accounts, many companies were struggling.
Just weeks before the scheme’s implementation, a MinterEllison study found that just 40 percent of businesses were prepared to comply with the new laws.
Even as reports piled up – official figures suggested the scheme was on track to record nearly 1,000 data breaches in its first year – many organisations are still trying to finalise the details of their own cyber response plans.
A recent NTT Security Report found that despite the long run-up to the NDB and its focus on data-breach response, just 51 percent of Australian companies have a cybersecurity incident response plan in place.
That’s a difficult statistic to reconcile with corporate claims that they are looking after Australians’ private data – particularly when Facebook compromises hundreds of millions of passwords, or major companies like Toyota get breached, claim the situation is under control, and then get breached again worse than the first time.
To CEO or not to CEO?
The steady stream of breaches has brought the importance of a clearly defined cybersecurity incident response plan into even sharper relief.
But how would your executives react in the event of a major data breach – and how would your cybersecurity team handle the event?
Would there be a series of frenzied meetings, late-night calls, shoulder shrugging and hastily-prepared status reports?
Or would your team calmly step through the details of a plan they laid down years ago and have fastidiously practised and refined on a regular basis?
If your company is like most, the former response is more likely than the latter. Yet while disaster management might be a core part of being a CEO, one specialist warns, a cybersecurity incident requires a different approach.
Organisations have to be conditioned to avoid what Matty Stratton, a DevOps evangelist with incident-response advisory firm PagerDuty, calls ‘executive swoop’.
“The incident response commander should be the highest-ranking person during an incident,” he told Information Age. “That means they’re higher than the CEO – but just don’t surprise the CEO with this.”
In a pressure-cooker situation where a company is responding to a cybersecurity event, the CEO will be more valuable as part of a broader response – liaising with the business units and ensuring that the cyber response plan is followed properly.
DevOps – a strategy for optimising the business by co-ordinating the activities of development staff and operational staff – has gained currency as a means of helping business and technical staff work in lockstep.
It’s proving so valuable and in-demand that a recent survey found 41 percent of Australian CIOs were struggling to find qualified DevOps staff.
Its more recent derivative, DevSecOps, adds security staff to the mix and offers similar discipline, co-ordinating the work of applications developers, security practitioners, and operational staff.
Agree to agree
Good alignment between development, operational and security staff reflects a company culture where security is a shared responsibility – and it’s this kind of culture that is essential to building an effective cybersecurity response.
Yet many responders struggle to communicate response plans to the rest of the organisation: just 39 percent of respondents to the NTT Security Report believe their employees are fully aware of cybersecurity incident response policies.
“We want to be sure that we’re not just filling out forms and writing a document that nobody is going to read,” Stratton says. “We need to share this information.”
Stratton, who recently presented at DevOps Talks Conferences in Melbourne and Auckland, highlights the value of the ‘Four Agreements of Incident Response’ – a framework of agreements, pioneered by author Don Miguel Ruiz, that can help generate more consistency across the cybersecurity response.
The decidedly non-technical agreements inform “a more mature, effective, and humane approach to incident response”, Stratton wrote in a recent blog.
The first agreement – ‘be impeccable with your word’ – reflects the need to “keep good lines of communication,” he said, “and notifying stakeholders so you are being clear about what you’re talking about. We talk about the idea that you don’t litigate security.”
Clear lines of communication also allow anybody in the business to trigger an incident response – something that many organisations delegate but, Stratton says, should not.
“It is very important that anyone can trigger an incident response,” he said. “You don’t want to be too dependent on your automated tools. The worst thing that can happen is that if there wasn’t an incident, you got to practice your incident response.”
The second agreement – not taking anything personally – ties in with the need for better communication, especially when it comes to fighting executive swoop.
“It’s important to think about how we are working during an incident,” Stratton explained, “because when we have an incident we shift from regular operations to emergency mode – and it changes how we work.”
That doesn’t mean an incident is “a license to treat your co-workers poorly,” he added, “but the person in charge of the response outranks everybody – and that’s something executives have to not take personally.”
The third agreement – don’t make assumptions – reflects the need for clear communication of responsibilities and actions, which can be particularly tricky in the midst of a stressful incident response.
Stratton warned against saying “can someone...” when delegating tasks, for example, because “everyone will assume someone else is doing it. You need to be clear about assigning tasks and following them up.”
The final agreement – ‘always do your best’ – seems to go without saying, but can be difficult when adrenaline surges in the heat of the moment.
The key to success, Stratton says, is to systematically breed the panic response out of the organisation and replacing it with a far more planned series of actions based around cooperation, information sharing, and follow-up.
“Don’t panic,” Stratton said. “Everything about being on call, and being paged during an incident, is designed to drive your adrenaline through the roof. But we want to make these things routine – and we find that if you act calm, people will be calm.”