3 Questions to Improve Cyber Incident Recovery

July 1, 2017

The NIST Cybersecurity Frame-work focuses twice on the concept of improvement, doing so within both the Respond and the Recover functions. For improved response, NIST recommends that organizations incorporate lessons learned into their response plans and update their response strategies. When it comes to improved recovery, NIST echoes that guidance: Companies should incorporate lessons learned into their recovery plans and update their recovery strategies. Because of these similarities, it is helpful to consider this article in the context of our May 2017 Cyber Tactics column, “Been Hacked? Let That Be a Lesson to You.”

Still, there are some important differences to keep in mind. Because recovery is the final stage of incident management, a retrospective at this point can be more complete. In addition, from a risk management perspective, recovering from a major cyber incident involves more than restoring the company to its prior state. Instead, a mature cyber recovery program would have a company pick itself up, wipe itself off, and start all over again… not battered and bruised, but from a position of greater strength across the entirety of the Framework’s Identify, Protect, Detect, Respond and Recover functions.

There’s No Substitute for Experience.

Most every major incident reveals something unexpected, and usually not for the better. Capturing these experiences helps bridge the gap between theory and reality, creating a cybersecurity program that combines your company’s analytic intelligence (or book smarts) with its practical intelligence (or street smarts). To receive diverse input, companies might consider asking everyone who had a role in the detection, response and recovery efforts the following three open-ended questions:

What was unexpected about this incident and the way it played out?
What would you personally do differently before, during or after a future incident and why?
Based on this incident, what areas should the company prioritize for improvement and why?

There’s No Substitute for Hard Work.

Organizations should develop an improvement plan using risk principles to incorporate lessons learned and to implement the remedial actions suggested by the forensic investigation. NIST points out that the most important issues may consist of major problems (such as the need to restrict administrative privileges across the enterprise) or individually minor problems that occur repeatedly (for example, an inadequate distinction between low, medium and high level alerts). In parallel, corporate leadership should assess whether and how a major incident challenged the company’s prior risk assumptions, and whether they should mitigate or accept any newly identified risks.

There’s No Substitute for Victory.

As with most military campaigns, cybersecurity requires winning the daily battles while keeping an eye on not losing the longer war. In this regard, NIST recommends that organizations divide their plans into shorter-term tactical gains (such as patching systems more quickly) and longer-term strategic gains (such as adopting new security technologies). Through a cycle of continuous improvement, an organization’s cybersecurity efforts will serve as a key enabler for business success, and that spells victory.

Steven Chabinsky is global chair of the Data, Privacy, and Cyber Security practice at White & Case LLP, an international law firm. He previously served as a member of the President’s Commission on Enhancing National Cybersecurity, the General Counsel and Chief Risk Officer of CrowdStrike, and Deputy Assistant Director of the FBI Cyber Division. He can be reached at chabinsky@whitecase.com.

You must login or register in order to post a comment.

ON DEMAND: DevSecOps creates an environment of shared responsibility for security, where AppSec and development teams become more collaborative. With the right training and tools, developers can become more hands-on with security and, with that upskilling, stand out among their peers... however, they need the security specialists on-side, factoring them into securing code from the start and championing this mindset across the company.

ON DEMAND: The insider threat—consisting of scores of different types of crimes and incidents—is a scourge even during the best of times. But the chaos, instability and desperation that characterize crises also catalyze both intentional and unwitting insider attacks. Learn how your workers, contractors, volunteers and partners are exploiting the dislocation caused by today's climate of Coronavirus, unemployment, disinformation and social unrest.

Security Magazine

2020 October

This month in Security magazine, we explore how Corning's global security group ensured business continuity and employee safety during the global COVID-19 pandemic. Also, we highlight the global security team at Uber and their recent security programs and initiatives. Industry experts discuss travel safety programs, career hackers, working for terrible bosses, group attribution error and more.

View More Create Account