The NIST Cybersecurity Frame-work focuses twice on the concept of improvement, doing so within both the Respond and the Recover functions. For improved response, NIST recommends that organizations incorporate lessons learned into their response plans and update their response strategies. When it comes to improved recovery, NIST echoes that guidance: Companies should incorporate lessons learned into their recovery plans and update their recovery strategies. Because of these similarities, it is helpful to consider this article in the context of our May 2017 Cyber Tactics column, “Been Hacked? Let That Be a Lesson to You.”
Still, there are some important differences to keep in mind. Because recovery is the final stage of incident management, a retrospective at this point can be more complete. In addition, from a risk management perspective, recovering from a major cyber incident involves more than restoring the company to its prior state. Instead, a mature cyber recovery program would have a company pick itself up, wipe itself off, and start all over again… not battered and bruised, but from a position of greater strength across the entirety of the Framework’s Identify, Protect, Detect, Respond and Recover functions.