It’s a dangerous world for protected information, with major breaches in the news and a challenging cyber-threat environment behind the scenes. Cyber theft for competitive advantage, denial of service attacks, ransomware intrusions, and even state-sponsored espionage are real dangers, as are conventional breaches compromising individuals’ protected information. State PII breach notification obligations loom large for customer and employee data. For BtoC organizations, cardholder data can also be at risk. And HIPAA/HITECH imposes its own breach response requirements for employers’ self-funded health plans.
Organizations must be prepared to respond to data breaches, but effective response is no small matter. There are ten different channels of response activity for an organization that has suffered a security breach: Security, Legal, Forensic, Law Enforcement, Regulators, Insurance Coverage, Public Relations, Stakeholders, Notification, and Personnel Management. Most of these activities are involved in every breach, and all must be dealt with in significant breaches. These activities are not sequential. They play out in parallel, with interrelated effects … and with the response clock ticking.
Many organizations have important elements already in place for certain IT Security activities, and some have a Computer Security Incident Response Team (CSIRT or CIRT), usually with IT Security leadership, focused on computer security activities for incident response. Though important, these IT Security capabilities are typically neither designed nor adequate to manage the other nine activity channels needed for breach response.
Deciding how to handle all of these interwoven activities in the midst of an actual breach, with no advance planning, is a guarantee for failure. There simply is no substitute for preparation. Effective breach response readiness requires that the organization understand what will be needed in each of the ten activity channels for its anticipated breach scenarios, and also how these activities will be managed simultaneously to avoid unnecessary risk, delay, and cost.