Security professionals such as CISOs (Chief Information Security Officers) continuously receive alerts that warn them about the attacks and the anomalies. These security warnings and alerts are imperative to mitigate damages effectively from any cyberattack and insider threats. At the same time, it’s also important for cybersecurity professionals to keep in mind that many false alarms also take place. In such a scenario, the key challenge is to figure out what’s a true positive vs. a false positive as each requires a significant amount of investigation. If upon post analysis the conclusion points to a compromise or a breach, the stress can be overwhelming, but CISOs shouldn’t get data breach fatigued since that’s exactly what they are responsible and accountable to manage. Rather, in case of any data breach, CISOs must be vigilant to start rebuilding trust, which can be achieved by following the points mentioned below:
- Provide consumers with timely information that explains what happened and why
- Explain the facts without sugarcoating
- Making communication easy to understand and personal without legal and technical jargons
- Explain easy steps to follow for end-users how they can protect themselves
- Answer all FAQs as soon as possible
What do security leaders always need to pay attention to?
CISOs and other security professionals can never ignore the reasons that cause a cyberattack (if it takes place) within their organization or another because it highlights a weakness aka failure – a failure of a product, process or people. They should always prioritize root cause analysis, verify and validate that a similar failure doesn’t happen (again) within their organization.
There seems to be a wrong perception regarding CISO’s budget, their ability to gain support from the executive, and their visibility level within an organization to come up with meaningful changes. CISO’s who can quantify measurable risk will never run into this problem, however, the majority of the CISO(s) are so overburdened with tactical operations that they barely get time to work on risk-quantification based initiatives.
The security leader must deploy a comprehensive monitoring system. On the surface, this feature might appear appealing, but the fact of the matter is that it's a serious cause for concern. That's because it can easily generate cyber alert fatigue that can be controlled by following the practices mentioned below.
Last but not the least, the security leader must pay attention to the latest innovation and new trends. This might be the last thing in CISO’s mind, but there are countless threat researchers and engineers who are actively pursuing the fight against the bad actors and many of them do have a compelling tech.
The other things that CISO(s) should delegate to their team are as follows:
Optimizing and Tuning Alerts
The primary purpose of deploying a monitoring system is to provide security leaders with useful operational awareness. It can cause objective failure if alerts are being missed, filtered, or ignored, and security leaders can combat this by identifying the top talkers and reviewing the make of alerts. Addressing such problems and optimizing the alerts to get better and more appropriate values can dramatically improve the validity and quality of alerts.
Including Context to Determine Importance
Single events may appear critical, but in reality, they can be innocuous if analyzed with context and vice versa. That’s why observing an event trigger with context is important.
Using Multiple Ways to Generate Triggers or Alerts
Single-channel that feeds your monitoring system is not enough, and it can cause fatigue quickly. CISOs should combine multiple alert types such as logs, email, dashboard alerts to identify their significance efficiently.
What is just noise in the industry and can be ignored?
Market noise is basically the industry movements that generate an inaccurate idea, data, and hype. It makes it difficult to distinguish between valuable and inaccurate information. It's more or less true that multiple data breaches take place every day. But the fact of the matter is that each data breach is not dangerous for your organization, and it's not always necessary to respond with urgency.
How do you avoid fatigue in an industry that moves at the speed of light?
One of the most important and common consequences of continuous data breaches is fatigue in the industry. It's undoubtedly hard to calculate, but its existence can't be denied. According to the IOWA State University Study, a data breach at the US Office of Personnel Management affected about 21 million people. The consumer sentiment regarding this breach was tinged with anger and anxiety.
CISOs and other security leaders must communicate with their customers after a breach. However, it's just one element of the overall IR (Incident Response) plan. In order to avoid data breach fatigue and data breach cycle, security leaders, as well as consumers, need to shake off reluctance to change. Data breaches and cyberattacks might be inevitable, but security professionals can control their responses.
What advice do you have about turning off the news cycle?
The combination of curiosity and imagination allows security leaders to remove the false security sense. It also allows them to explain the effectiveness and cyber resilience posture of their organization to their consumers with courage. Turning off the news cycle might not be a good strategy. In fact, CISOs should analyze every market news and alert thoroughly to identify the significance of each event trigger. Other than that, they can follow the points mentioned below to deal with the risks that their organization faces.
- Explaining what is the range of plausible cyber events instead of assuming "can XYZ happen to their organization."
- Understanding whether events can go miscategorized or undetected can cause a large negative impact.
- Explaining the methods that will be used to respond to an event.
- Figuring out the impact of the event on their business and how the organization will recover.
Frequent and honest communication with consumers combined with imagination and curiosity can work wonders. Not only will it help the security leadership to be honest with themselves, but it will also allow them to deal with the risks effectively that their organization faces.