When there is a fire, it must be extinguished. Anyone who has ever been in a fire wants to prevent it next time. It is the same with security incidents. Some time may pass without an incident – but they happen and will happen. Trend reports show that incidents are not becoming fewer. On the contrary – they are becoming more advanced and targeted. Although some targets will be more popular than others, there are no safe hide-outs. For instance, even smaller schools in countries with languages spoken by small populations are being targeted these days. Banks, big networks, government and military entities are ‘popular’ targets.”

– European Networt and Information Security Agency

“Risks to reputation are not anymore part of the emerging risks; in fact, they have been on the risk management radar for over a decade now. However, the last year of this first decade of the 21st century seems to have seen a burst of incidents all over the economic spectrum that tainted the reputation of even well established companies. BP suffered their third blow of the decade with the oil spill in the Gulf of Mexico, Toyota product recall was a warning to the automobile giant that blog can be damaging, not to speak of the SEC suit against Goldman Sachs. If these may be PR disasters to some extent, it would be very casual to not investigate all those event in depths as the root causes are probably not in faulty communication, but rather in faulty operations, faulty governance, etc.”

- Jean-Paul Louisot, Jenny Rayner, Managing Risks to Reputation: From Theory to Practice

What is poignantly clear is that incidents can be defined in many different ways to many different departments and organizations. However, it is the managing of those incidents that outline the strength and longevity of a business. If their processes were in sync, then the return on investment for that key process would have been a worthwhile expenditure. When considering incidents within a particular organization, we must properly explain how incidents are defined by not only each of the varying departments and their particular processes, but also have an understanding of the overall definition the organization gives.

Equally critical is the reporting process. Reporting and managing incidents allows processes to be changed to stop incidents recurring and prevent potential harm turning into actual harm. Thereby, enabling a business to add value to the safety and security of all employees and clients, create potentially more profitability for the company, help reduce incidents and losses and more importantly, provide a built-in defense against accusations of negligence or inadequate security. However, an understanding of an incident must be clearly determined.

As a matter of course, our security industry defines incidents in many different ways by many different departments both in Information Security and Physical Security.  Hence, a broad definition must be sought so that it encompasses the vast range of incidents that may occur. Why is this so important? Having a narrow or more specific definition of what an incident may endanger the organization or specific department from fully realizing the extent of the incident, making the reporting of that incident incomplete.  Therefore, rendering the organization at a disadvantage from realizing the full extent of the risks involved. 

For this article we will define security incidents as those natural or man-made events or hazards that adversely affect the organization, but must be examined and reported to potentially mitigate a reoccurrence. We are essentially gathering facts and conducting an investigation – gathering of evidence and related data to an occurrence, or incident with the goal of arriving at a logical conclusion based on the evidence. 

That evidence and the assessment conducted during the investigation must be accurately recorded. In today’s environment with everything being digital and “Big Data” taking a grip on the size and complexity of the information being obtained, designers and management are obligated to ensure that solid and coherent strategies are developed to provide consensus within the management team. Lack of a strategy will dismantle the effectiveness of the information obtained and diminish the ability to properly mitigate a reoccurrence. While many security incident reporting strategies depend on the organization, there are a few baseline security incident-reporting strategies that should be utilized when developing this type of program.

Planning & Preparation

First of these strategies is planning and preparation. Each department within the organization to uncover perceived and known threats and vulnerabilities must conduct a thorough Business Impact Analysis. Many of today’s incidents are so complex and time-consuming that preparation cannot be dismissed. Therefore, by examining each department a baseline of security in systems, network devices and overall physical security can be established so that incidents are not likely to become routine. Some basic aspects behind planning and preparation are:

• Setting up a reasonable set of defenses/controls based on the threat that presents itself.

• Creating a set of policies and procedures to deal with incidents as efficiently as possible.  Within these procedures and policies it must be clear that:

   - All incidents, accidents, or occurrences that cause or could cause harm must be reported.

   - A blame-free environment needs to be promoted because by getting to the root cause of an error, you can fix the underlying system or process issues that allowed the event to happen.

• Obtaining the resources and personnel necessary to deal with the problem.

Engage Cooperation

In order to gain cooperation for this program/system, organizers need to gain the trust and confidence with future security incident reporters by making use of the already existing arrangements and resources within each department; raise awareness of the hazards and threats; most importantly, build trust. Building trust is paramount to success considering crucial and difficult a task it is. Developers should leverage already existing relationships to assist in building that trust. 

Develop a Technological Infrastructure

Companies such as PPM2000, iView Systems and D3 Security systems offer organizations the ability to create customized security incident reporting solutions and systems through their incident management software. This permits an organization’s workforce to easily report incidents online, and also creates more security awareness while simultaneously advancing the organization’s ability to master analytical competencies. 

Indicative of this transformation is the pursuit to integrate and converge disparate systems within the organization that have long been in departmental silos. The security incident management system should be interdisciplinary and organizationally flexible to meet the needs of incidents of any kind or size. 

Manage Security Incident Reporting

Once the infrastructure of the security incident reporting system is in place, a close watch and review of the system and its process must be maintained. This can be achieved by analyzing as well as following-up on individual incidents, conducting statistical analysis on a number of incidents and examining feedback to improve and evolve the process.

Conclusion

Droughts and wildfires in the West, record snowfalls on the East Coast, Typhoon Haiyan in the Far East, gun violence erupting in America’s schools and colleges at a rate of more than three incidents a month with 13 school shootings recorded in the first six weeks of 2014, as well as the recent rash of cyber attacks on Target, Neiman Marcus, Michaels and more recently Apple, exemplify the necessity for accurate incident reporting to improve safety and security; maintain corporate reputational integrity; increase shareholder value; and ensure maximum return on investment.

An incident reporting system in today’s world involves an organizational mindset that emphasizes complete and thorough corporate involvement. This would improve personal and organizational safety that would allow front-end practitioners to have easy access for reporting an incident with an understanding that their report will be handled in a non-punitive manner, and the notion that it will lead to enhanced learning regarding the causation of the incident and systemic changes which may prevent it from recurring.

About the Author: J. Kelly Stewart, MBA, CHS-IV, CAS is the Managing Principal and CSO for Newcastle Consulting, LLC - an Enterprise Risk and Strategic Security Design Management Consultancy.