Connect with us

Technology

5 Key Factors CISOs Should Consider When Building Incident Response

Published

on

As attacks become more sophisticated and frequent, 86% of CISOs agree that cyber-incidents within their companies are inevitable. So, it comes as no surprise that the majority (76%) believe the speed and quality of incident response (IR) are the most important factors when measuring their performance. This means that heads of IT security departments are now focused not only on preventing attacks, but on identifying issues in time to minimize the damage.

While having IR as a process is a necessity, CISOs still face the dilemma of organizing it. There are five factors IT security leaders should consider when choosing how to organize IR in their organization:

1. Shortage of qualified professionals

IR is often misunderstood as jumping into the remediation phase when an incident happens. However, the IR process starts even before an attack has occurred and isn’t over when it stops. In general, IR consists of four stages. The first is preparation to ensure all responsible employees know how to act upon attack. The second phase involves incident detection. Next, an IR team should eliminate the attack and recover any affected systems. After an issue is resolved, the IR strategy should be reviewed based on this experience, to mitigate similar cases happening again.

These diversified activities call for different professionals. Unfortunately, these specialists are in short supply. According to Kaspersky Lab’s survey, 43% of CISOs find it difficult to find a malware analyst, 20% to find specialists that can respond to attack, and 13% can’t find threat hunters. Another issue is employee retention. Specialists know they are in demand and can easily switch to a rival organization if offered a higher salary. Because of these factors, it’s increasingly hard for companies to employ a team internally that can conduct the entire IR process.

2. Choosing suitable outsourcers

Choosing a contractor is also not a trivial task. To be effective, an outsourced team should cover all the important competencies of IR; namely threat research, malware analysis and digital forensics. It’s important that outsourcers have vendor-neutral certificates to prove a skill base. Also, ask about their experience in the role. The more they work for multiple customers in a variety of industries, the more chance they regularly come across typical incidents and can find similarities in seemingly different cases.

For companies in strictly regulated industries, there may be additional restrictions when selecting outsourced responders. They will, therefore, only be allowed to choose from incident responders that meet specific compliance requirements.

3. Cost of incident response

Establishing in-house IR is costly. The organization needs to pay a salary to full-time employees with rare and expensive skills. They also need to purchase solutions and services (threat intelligence) required for threat hunting, data analysis and attack remediation.

However, the average cost of experiencing a data breach globally is increasing as well – with breaches now amounting to $1.23M on average for enterprises (up 24% from $992K in 2017). With the cost of IT incidents on the rise, businesses are realizing that they have to prioritize cybersecurity spending.

Some organizations find a flexible outsourcing model more cost-effective, as it allows them to pay only for the service received. However, for enterprises that deal with numerous incidents, having IR in-house is a must. Nonetheless, they can still find a more cost-effective model when they employ first-level responders. This internal team should be able to analyze the incident first and either handle it according to procedures or escalate to external experts.

4. Synergy with IT department

When an incident happens, the IT team may choose to shut down infected machines to reduce the impact. However, for responders, it’s important to collect the evidence first – meaning that the ‘crime scene’ should be left untouched for a while after an incident. Collecting logs and storing them for only three months, and disconnecting infected machines make the life of IR teams more difficult.

To avoid such discrepancies, the internal IR team should prepare special tailored guidance for their IT colleagues or introduce special training for any IT specialist who needs more than simple cybersecurity hygiene knowledge but doesn’t require in-depth security skills. This initiative will ensure that both the internal and external team are on the same page.

5. Delays in putting response into action

Organizations that outsource IR can establish the processes faster, as an external IR team is always on hand to step in and resolve an incident when needed. However, this comes with potential pitfalls. For instance, a company and the third party must sign contracts and create agreements before any work is carried out. This can lead to a delay in incident response.

For most large organizations, a hybrid approach to IR, combining third-party responders as the second line of response and an in-house team as the first is the most effective option. It brings benefits and eliminates the shortages of both approaches.

All in all, outsourcing IR doesn’t mean that the company can simply hand over the reins to external experts and absolve themselves of responsibility. Having a plan is still key. To react in time, a company must be prepared and have a first line of response. There should be instructions for when to ask for external assistance and what it will address. Someone inside the company should also be tasked with prioritizing actions and coordinating cooperation between internal departments and the outsourced external team. Establishing such a role is a must.

Continue Reading
Advertisement
Comments

Subscribe

Advertisement

Facebook

Advertisement

Ads Blocker Image Powered by Code Help Pro

It looks like you are using an adblocker

Please consider allowing ads on our site. We rely on these ads to help us grow and continue sharing our content.

OK
Powered By
Best Wordpress Adblock Detecting Plugin | CHP Adblock