Security incidents are inevitable, but how they’re dealt with can make or break an organization. Poor incident response negatively affects business practices, including workflow, revenue generation, and public image.
The incident response of most organizations is ad hoc at best. A formal management plan is rarely developed or adhered to, resulting in ineffective firefighting responses and inefficient allocation of resources.
Our Advice
Critical Insight
- Embrace the use of ready-made responses when handling incidents. These pre-established response plans can save valuable time and effort during a crisis. By relying on proven and tested procedures, your team can respond swiftly and efficiently, minimizing the impact of incidents and ensuring a consistent approach to resolving security breaches.
- Analyze, track, and review results of incident response regularly. Without a comprehensive understanding of incident trends and patterns, you can be revictimized by the same attack vector.
- Establish communication processes and channels well in advance of a crisis. Don’t wait until a state of panic. Collaborate and exchange information with other organizations to stay ahead of incoming threats.
Impact and Result
- Effective and efficient management of incidents involves a formal process of preparation, detection, analysis, containment, eradication, recovery, and post-incident activities.
- This blueprint will walk through the steps of developing a scalable and systematic incident response program relevant to your organization.
Member Testimonials
After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve. See our top member experiences for this blueprint and what our clients have to say.
9.4/10
Overall Impact
$104,742
Average $ Saved
42
Average Days Saved
Client
Experience
Impact
$ Saved
Days Saved
Pitt County
Guided Implementation
10/10
$30,549
10
Uganda Revenue Authority
Guided Implementation
10/10
$12,999
105
Willingness to provide guidance and followup
Opal Packaging
Guided Implementation
10/10
N/A
20
Robert is very knowledgeable providing practical advice and guidance. The facilitation of the tabletop exercise was a beneficial exercise to comple... Read More
Pitt County
Guided Implementation
10/10
$18,849
10
Keeneland Association
Guided Implementation
10/10
$2,469
2
Frank presented the materials very professioinally and shared some content he'd done for a client to help us continue down the project path.
Dunn‐Edwards Corporation
Guided Implementation
10/10
$64,999
50
Working Petar, who brings a lot of knowledge, experience, and advise throughout the IR process. The tools provided were also fantastic, with very l... Read More
The Corporation of the City of Sault Ste. Marie
Workshop
10/10
$75,000
110
The entire process was excellent and very informative. There was NO worst part. Thanks
CPA Alberta
Guided Implementation
8/10
$10,000
5
Best was the general guidance and lessons learned from others on our incident response, structure of the table top exercise, and dealing with insur... Read More
California Department of Housing & Community Development
Workshop
10/10
$129K
115
Andy Riley was extremely knowledgeable and we learned a great deal from him. We were able to produce tangible results and deliverables which will h... Read More
County of Franklin
Guided Implementation
10/10
$2,599
20
Shastri is a great resource and was very helpful during the entire process. I have no complaints.
Kappa Delta Sorority
Guided Implementation
10/10
$12,999
60
Working with Shastri was the best part of my experience. The knowledge and the willingness to help me prepare a plan that meets our internal team w... Read More
Charlotte County Clerk of the Circuit Court and County Comptroller
Workshop
10/10
N/A
110
We only have the best to say about our experience with Info-Tech and Frank Sargent on our workshop. Frank was engaging and walked us through all a... Read More
Osage Casinos
Guided Implementation
10/10
$14,949
20
Fritz Jean-Louis was amazing and really helped to guide me through the difficult process of developing and implementing a security incident managem... Read More
RJRGLEANER Communications Group
Guided Implementation
9/10
N/A
26
Best - Dr. Michel was knowledgeable, flexible and willing to work with us during the guided implementation. He provided many scenarios and additio... Read More
Asian Development Bank
Guided Implementation
9/10
N/A
N/A
Advice was very clear and Dang was found to be very informative and advanced on the subject.
The Corporation of the City of Timmins
Guided Implementation
10/10
$10,000
20
Shastri was a great coach and mentor during the project - he has a lot of real world experience and helpful guidance. Worst part was the sheer am... Read More
Government of Bermuda
Workshop
8/10
$389K
110
Best - SANDY and FRANK!!!; getting everyone together; understanding how things are currently done and/or will be done; identifying how our work wil... Read More
New-Indy Containerboard, LLC
Guided Implementation
10/10
$2,469
9
Noramco, LLC
Guided Implementation
10/10
$59,849
10
The advisor is so well knowledgeable and versed in the topic and i truly appreciate that. I don't have any neg thing to say.
Pekin Insurance
Workshop
9/10
$61,749
20
Sandy Silk did a great job of conducting the workshop. She was organized and customized the workshop in ways that most help our incident response ... Read More
4Wall Entertainment
Workshop
10/10
$18,269
5
Sandy was an excellent facilitator and did a great job getting the team to open up and discuss the topics at hand. She also has a ton of experience... Read More
County Of Kenosha
Workshop
8/10
$12,999
20
The tabletop exercise was very valuable to illustrate the importance of a structured response.
ENERGYUNITED ELECTRIC MEMBERSHIP CORPORATION
Workshop
10/10
$1.3M
120
The best part of our experience was in the second table-top exercise that included representation from key business stakeholders. This exercise was... Read More
Healthcare Excellence Canada
Guided Implementation
8/10
N/A
5
no worst parts; getting a second perspective is always helpful.
Corix Infrastructure Inc.
Guided Implementation
10/10
$37,500
20
It was a great experience and a great way to assist Corix in accomplishing a goal amidst a number of competing initiatives. Thank you Logan for al... Read More
Afreximbank
Guided Implementation
8/10
$23,500
110
Overall a very good experience
Jet Support Services, Inc.
Workshop
10/10
$12,599
20
Logan and Kevin were great to work with
The Regional Municipality Of Niagara
Workshop
7/10
N/A
50
There was a lot of attention for me to drive the engagement, as well the consultant's that were assigned to us did not engage the group at times, s... Read More
Saskatchewan Blue Cross
Guided Implementation
8/10
N/A
5
The resources provided are quite useful.
Hyperloop Technologies, Inc.
Workshop
10/10
$37,199
20
I don't believe there were an worst parts, however, it's been almost 2 months since the engagement so I don't really remember. Overall I felt it w... Read More
Workshop: Develop and Implement a Security Incident Management Program
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Module 1: Prepare Your Incident Response Program
The Purpose
- Understand the purpose of incident response.
- Formalize the program.
- Identify key players and escalation points.
Key Benefits Achieved
- Common understanding of the importance of incident response.
- Various business units becoming aware of their roles in the incident management program.
- Formalized documentation.
Activities
Outputs
Assess the current process, obligations, scope, and boundaries of the incident management program.
- Understanding of the incident landscape
Identify key players for the response team and for escalation points.
- An identified incident response team
Formalize documentation.
- A security incident management charter
- A security incident management policy
Prioritize incidents requiring preparation.
- A list of top-priority incidents
- A general security incident management plan
- A security incident response RACI chart
Module 2: Develop Incident-Specific Runbooks
The Purpose
- Document the clear response procedures for top-priority incidents.
Key Benefits Achieved
- As incidents occur, clear response procedures are documented for efficient and effective recovery.
Activities
Outputs
For each top-priority incident, document the workflow from detection through analysis, containment, eradication, recovery, and post-incident analysis.
- Up to five incident-specific runbooks
Module 3: Maintain and Optimize the Program
The Purpose
- Ensure the response procedures are realistic and effective.
- Identify key metrics to measure the success of the program.
Key Benefits Achieved
- Real-time run-through of security incidents to ensure roles and responsibilities are known.
- Understanding of how to measure the success of the program.
Activities
Outputs
Limited scope tabletop exercise.
- Completed tabletop exercise
Discuss key metrics.
- Key success metrics identified
Develop and Implement a Security Incident Management Program
Create a scalable incident response program without breaking the bank.
EXECUTIVE BRIEF
Analyst Perspective
In today’s digital landscape, security incidents are an unavoidable reality for organizations, regardless of their size or industry. From data breaches and ransomware attacks to insider threats and phishing scams, the range of security incidents keeps growing. This demands a proactive and robust approach to security incidents.
It has been found that organizations with well-formalized incident response plans experience, on average, 55% lower costs and are 50% faster in containing incidents (IBM, 2020). When faced with a security incident, organizations cannot afford to waste time deliberating how to respond and must have designated roles and responsibilities so that everyone can act decisively.
As well, organizations need to track and measure key performance indicators (KPIs) such as response time, success rate, and recovery time regularly. Tracking these KPIs can provide valuable insights for continuous improvement and fine-tune response strategies.
Ultimately, a proactive security incident management approach empowers organizations to navigate security incidents with confidence and mitigate potential consequences swiftly when an incident occurs.
Nitin Mukesh
|
Executive Summary
Your Challenge
- Security incidents are inevitable, but how they’re dealt with can make or break an organization. A poor incident response negatively affects business practices, including workflow, revenue generation, and public image.
- The incident response of most organizations is ad hoc, at best. A formal management plan is rarely developed or adhered to, resulting in ineffective firefighting responses and an inefficient allocation of resources.
Common Obstacle
- Tracked incidents are often classified using ready-made responses that are not necessarily applicable to an organization. With so many classifications, tracking becomes inefficient and indigestible, allowing major incidents to fall through the cracks.
- As well, outcomes of incident-response tactics may not be formally tracked or communicated, resulting in the lack of a comprehensive understanding of trends and patterns regarding incidents. This may lead to an organization being revictimized by the same vector.
- However, even having a formal incident response document to meet compliance requirements is not useful if no one is adhering to it.
Info-Tech’s Approach
- Effective and efficient management of incidents involves a formal process of preparation, detection, analysis, containment, eradication, recovery, and post-incident activities.
- This blueprint will walk you through the steps of developing a scalable and systematic incident response program that is relevant to your organization.
Info-Tech Insight
Embrace the use of ready-made responses when handling incidents. These pre-established response plans can save valuable time and effort during a crisis. By relying on proven and tested procedures, your team can respond swiftly and efficiently, minimizing the impact of incidents and ensuring a consistent approach to resolving security breaches.
Challenges of inadequate security incident management
Lack of preparedness: A security incident management program helps to prepare your organization for potential security incidents by establishing clear roles, responsibilities, and procedures. Without such a program, your team may be ill-prepared to handle incidents, resulting in confusion, chaos, and a higher likelihood of errors or mistakes during the response.
Incomplete incident documentation: It is important to ensure that incidents are properly documented and there are measures for dealing with and resolving them. Without an incident management system, your organization may not have the structures to report and document incidents, which could impede root-cause identification, post-incident analysis, and the ability to learn from previous incidents in order to enhance future security measures.
Regulatory noncompliance: Some industries have specific regulations and legal requirements for incident management, data protection, and breach notification. Without an updated plan that reflects these regulations and requirements, your organization may fail to meet compilatory needs, which could lead to regulatory consequences, financial sanctions, or even a bad reputation.
207 days – Mean time to identify a data breach
70 days – Mean time to contain a data breach
(Source: “Cost of a Data Breach Report 2022,” IBM, 2022)
Defining security incident management
-
IT Incident
An IT incident is any event that is not part of the standard operation of a service and that causes, or may cause, an interruption to, or a reduction in, the quality of this service. -
Security Event
A security event is any event or occurrence that could potentially have information security implications.- For example, a spam email is a security event because it may contain links to malware.
- Organizations may be hit with thousands, or perhaps millions, of identifiable security events each day.
- These security events are typically handled by automated tools or simply logged.
-
Security Incident
A security incident is a security event that results in damage, such as lost data.- A security incident can also be a security event that does not involve damage but is a viable risk.
- For example, an employee clicking on a link in a spam email that made it through filters may be viewed as a security incident.
It’s not a matter of if you will have a security incident, but when
The increasing complexity and prevalence of threats have finally caught the attention of corporate leaders. Prepare for the inevitable with an incident response program.
- The average breach cost savings at organizations with an incident response (IR) team that tested an IR plan is US$2.66 million.
- US organizations lost an average of US$9.44 million per data breach as a result of increased customer attrition and diminished goodwill. The Middle East and Canada follow at US$7.46 and US$5.64 million, respectively.
- 83% of organizations have experienced multiple data breaches, with 60% of them having to increase the price of their services or products because of a data breach.
- 45% of breaches happened in the cloud, where organizations with a hybrid cloud model had shorter breach lifecycles than those with a private or public cloud model.
- The average cost of a data breach is greater by US$1 million if remote work was a factor.
(Source: “Cost of a Data Breach Report 2022,” IBM, 2022)
This research is designed for a chief information security officer (CISO) who is dealing with:
- Inefficient use of time and money when retroactively responding to incidents that negatively affect business revenue and workflow.
- Resistance from management to adequately develop a formal incident response plan.
- Lack of closure of incidents, resulting in being revictimized by the same vector.
This research will also assist business stakeholders who are responsible for:
- Improving workflow and managing operations in the event of a security incident to reduce any adverse business impacts.
- Ensuring that incident response compliance requirements are being adhered to.
Benefits of an incident management program
Effective incident management will help you …
- Improve efficacy.
Develop structured processes to increase process consistency across the incident response team and the program as a whole. Expose operational weak points, and transition teams from firefighting to innovating. - Improve threat detection, prevention, analysis, and response.
Enhance your pressure posture through a structured and intelligence-driven incident handling and remediation framework. - Improve visibility and information sharing.
Promote both internal and external information sharing to enable good decision making. - Create and clarify accountability and responsibility.
Establish a clear level of accountability throughout the incident response program and ensure role responsibility for all tasks and processes involved in service delivery. - Control security costs.
Establish effective incident management operations to provide visibility into your remediation processes, enabling cost savings from misdiagnosed issues and incident reduction. - Identify opportunities for continuous improvement.
Increase visibility into current performance levels and accurately identify opportunities for continuous improvement with a holistic measurement program.
Short-Term Impact
- Streamlined security incident management program
- Formalized and structured response process
- Comprehensive list of operational gaps and initiatives
- Detailed response runbooks that predefine necessary operational protocol
- Compliance and audit adherence
Long-Term Impact
- Reduced incident costs and remediation time
- Increased operational collaboration between prevention, detection, analysis, and response efforts
- Enhanced security pressure posture
- Improved communication with executives about relevant security risks to the business
- Preserved reputation and brand equity
Develop and Implement a Security Incident Management Program
Create a scalable incident response program without breaking the bank.
Create and follow a pre-established workflow for every security incident encountered
Predefined workflows for each stage
- Detection Constantly monitor until signs of an incident are detected
- Analysis Leverage data to analyze the incident
- Containment Contain the incident and affected system
- Eradication Eliminate malignant components of the incident
- Recovery Restore and monitor the affected systems
- Post-Incident Activities Collaborate with stakeholders to review the incident's cause, effect, and remediation
Embrace ready-made incident responses to save time and respond swiftly during crises. Relying on proven procedures minimizes impact and ensures consistency in resolving security breaches.
Problem
- Your organization lacks a formal and structured incident management plan or relies on one that is outdated.
- There is a reactive approach to incidents on a case-by-case basis in the absence of a standardized processes.
- The inefficient incident responses and resource allocation due to ad hoc handling of incidents result in negative impacts on critical business practices.
Challenges
- Inadequacies in incident documentation hinder post-incident analysis and learning, while the lack of a structured incident Management System impedes future security measures.
- Non-compliance risks from failure to meet data protection and breach notification requirements exposes organizations to legal and financial consequences.
- Without a security incident management program, organizations lack preparedness, clear roles, and procedures, leading to confusion and errors during incident handling.
Benefits
Control security costs
Effective incident management operations will provide visibility into your remediation processes, enabling cost savings from the reduction in misdiagnosed issues and incidents.
Improve efficacy
Develop structured processes to increase process consistency across the incident response team and the program as a whole. Expose operational weak points and transition teams from firefighting to innovating.
Impacts
Short term
- Detailed response runbooks that predefine necessary operational protocol
- Compliance and audit adherence
Long term
- Reduced incident costs and remediation time
- Enhanced security pressure posture
Malware | Malicious Email | Ransomware | Data Breach | Credential Compromise | Third-Party Incident | DDoS Attack
Maintain a holistic security operations program
Prevent: Defense in depth is the best approach to protect against unknown and unpredictable attacks. Diligent patching and vulnerability management, endpoint protection, and strong human-centric security (among other tactics) are essential.
Detect: There are two types of companies: those that have been breached and know it, and those that have been breached and don’t know it. Ensure that monitoring, logging, and event detection tools are in place and appropriate to your organizational needs.
Analyze: Raw data without interpretation cannot improve security and is a waste of time, money, and effort. Establish a tiered operational process that not only enriches data but also provides visibility into your threat landscape.
Respond: Organizations cannot rely on an ad hoc response anymore – don’t wait until a state of panic. Formalize your response processes in a detailed incident runbook to reduce incident remediation time and effort.