Rafal Los has an excellent blog post up about how to plan for failure in your information security program. Rafal makes the excellent point that not planning for the (inevitable) failure of your organization’s security controls is, in fact, failure itself.
As I mentioned above, the primary failure in a situation where an organization is breached and the resulting event is seen as a catastrophic failure is in strategy and planning. Failing to account for a breach in your strategic information security and risk management planning is a failure all in itself. It’s at very least arrogant to think you can ever reach some mythical state absolute security in your organization, and in many situations it’s irresponsible.
Take his point to heart – a proper incident response plan can ensure that when a data breach does occur, you are responding in a methodical, practiced way instead of the chaotic responses that we see far too often. It is the difference between containing an incident quickly and professionally, or having a minor incident turn into a catastrophic one due to the lack of a well-thought plan.
I would be remiss if I didn’t also pass along Rafal’s seven steps to make sure you’re prepared:
- There are no absolutes – what you’re providing is a level of risk reduction to an agreeable, acceptable level for the task
- Define tolerances to failure- make sure you’ve clearly defined your tolerances for everything from downtime, to security incidents to understand clearly when a failure happens
- Strategies embrace failure – a good security & risk strategy embraces failure as one of the realistic outcomes, and plans for it, providing a pre-defined next-step in those failure cases
- Define failure modes – incidents and breaches happen, but they’re not all created equal – make sure you have this pre-defined before you find yourself in the middle of a failure mode asking “how do we explain how bad it is?”
- Define a recovery – when planning for a potential failure scenario define clearly what your steps are to recover from the various failure modes you’ve already defined, and execute
- Test recovery methods – there is nothing worse than having a well-defined plan for recovery that you find out is non-workable in the heat of the moment – test, test, test and validate your strategic recovery methods
- Validate sentiment – make sure that what you consider acceptable and reasonable, and a sound strategy which includes failure is acceptable by those that matter to you, namely customers, investors and the public