3 Questions to Improve Cyber Incident Recovery

July 1, 2017

The NIST Cybersecurity Frame-work focuses twice on the concept of improvement, doing so within both the Respond and the Recover functions. For improved response, NIST recommends that organizations incorporate lessons learned into their response plans and update their response strategies. When it comes to improved recovery, NIST echoes that guidance: Companies should incorporate lessons learned into their recovery plans and update their recovery strategies. Because of these similarities, it is helpful to consider this article in the context of our May 2017 Cyber Tactics column, “Been Hacked? Let That Be a Lesson to You.”

Still, there are some important differences to keep in mind. Because recovery is the final stage of incident management, a retrospective at this point can be more complete. In addition, from a risk management perspective, recovering from a major cyber incident involves more than restoring the company to its prior state. Instead, a mature cyber recovery program would have a company pick itself up, wipe itself off, and start all over again… not battered and bruised, but from a position of greater strength across the entirety of the Framework’s Identify, Protect, Detect, Respond and Recover functions.

There’s No Substitute for Experience.

Most every major incident reveals something unexpected, and usually not for the better. Capturing these experiences helps bridge the gap between theory and reality, creating a cybersecurity program that combines your company’s analytic intelligence (or book smarts) with its practical intelligence (or street smarts). To receive diverse input, companies might consider asking everyone who had a role in the detection, response and recovery efforts the following three open-ended questions:

What was unexpected about this incident and the way it played out?
What would you personally do differently before, during or after a future incident and why?
Based on this incident, what areas should the company prioritize for improvement and why?

There’s No Substitute for Hard Work.

Organizations should develop an improvement plan using risk principles to incorporate lessons learned and to implement the remedial actions suggested by the forensic investigation. NIST points out that the most important issues may consist of major problems (such as the need to restrict administrative privileges across the enterprise) or individually minor problems that occur repeatedly (for example, an inadequate distinction between low, medium and high level alerts). In parallel, corporate leadership should assess whether and how a major incident challenged the company’s prior risk assumptions, and whether they should mitigate or accept any newly identified risks.

There’s No Substitute for Victory.

As with most military campaigns, cybersecurity requires winning the daily battles while keeping an eye on not losing the longer war. In this regard, NIST recommends that organizations divide their plans into shorter-term tactical gains (such as patching systems more quickly) and longer-term strategic gains (such as adopting new security technologies). Through a cycle of continuous improvement, an organization’s cybersecurity efforts will serve as a key enabler for business success, and that spells victory.

Steven Chabinsky is global chair of the Data, Privacy, and Cyber Security practice at White & Case LLP, an international law firm. He previously served as a member of the President’s Commission on Enhancing National Cybersecurity, the General Counsel and Chief Risk Officer of CrowdStrike, and Deputy Assistant Director of the FBI Cyber Division. He can be reached at chabinsky@whitecase.com.

How can you advance your career in the security industry with the skills and competencies necessary to benefit your organization? What will the security executive and the security function of the future look like? Join us as we hear from veterans in the security industry about their experiences, their lessons learned, and best practices for advancing their careers.

Security measures today tend to focus on controlling access, albeit with limitations. Many organizations, for example, know how many people have entered a secure location, but not how many have left.