Answer at least one of the following questions:
You’ve been hired as a consultant by an organization not due to a breach, but because their regulator documented a finding that the organization must redefine their Incident Response Program.
- How do you garner support for this effort if the organization disagrees with the regulator’s finding?
- What would your project plan look like if you must correct this finding prior to the next annual audit?
How do you garner support for this effort if the organization disagrees with the regulator’s finding?
I would schedule a meeting with stakeholders from all departments. I don’t care that they disagree with the regulator. His job is to evaluate and point out deficiencies. Aside from the normal day to day vigilance, incident response is one of the most (if not the most!) important facets. I would point out the recent explosion of Ransomware attacks to shock them into submission, noting that the cost to recover may very well end the business. If an organization wants to protect data and revenue and hold on to its reputation and customer trust, redefining the incident response plan is what needs to happen. And fast…
I agree with your approach, the first thing to be done is to arrange a meeting with all stakeholders. This helps to bring everyone up to speed with what’s on line if the organization does not comply with regulations.
The direct approach is great, but typically that type of decision depends on your rank in the office. You may need buy in from your own boss in order to get all the RIGHT stakeholders together. I think I would obtain the evidence the regulator collected to make their determination and do my own individual assessment of the IRP. Present that to your management with your business case and leverage THEM to move up the ranks. Ultimately it is not your decision to make unless you are the one ponying up the funds. Writing an IRP still costs money so you would need to prove the return of the investment.
How do you garner support for this effort if the organization disagrees with the regulator’s finding?
Support from management is vital in the success of any cybersecurity-related project but management is often business-focused and can see cybersecurity as more of an expense than an asset. Supplying stakeholders with hard facts and numbers can present the benefit and need of different cybersecurity tools (or updates/changes to those tools) in a way that everyone fully grasps. The FBI releases an annual report on cybercrime in the U.S. with statistics on different types of crimes and different specific industries (see link below if you’re interested!). Additionally, other sources, like Statista provide the public with useful statistics. I would relate these numbers to the specific company in a way that shows potential and average losses. For example, if total victim losses for a company’s industry are $250,000,000 per year and there are only 12,000 (same size/customer base/etc for simplification) different companies in their industry, that averages out to $12,500 per company per year. Suddenly, the cyber threat that management hadn’t experienced before has a $12,500 per year cost for that organization and its customers. Additionally, that organization may lose out on even more money due to bad PR and fines. From there I could look at costs associated with implementing new/fixing old cybersecurity initiatives and the residual risk left after implementing them. I could also drive the point home further with specific examples of incidents and their fallouts.
https://www.ic3.gov/Home/AnnualReports
https://www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdf
Additional sources: https://www.statista.com/statistics/194246/cyber-crime-incidents-victim-industry-size/
Hi Amy!
Great post!
You would think that stakeholders would be onboard no matter what considering the cost\benefit analysis. The TJ Maxx breach was an example of the fat rats trying to keep their pockets full and not spending a few million to fix the issue. They completely ignored the magnitude of the risk and that cost them something like $256 million. High profile breaches weren’t as common 10-15 years ago, now they are an almost everyday occurrence.
I’m not sure why this still surprises me but it always does! You would think that those looking to make more money in the long-term would be interested in the cost-benefit analysis but it looks like some folks can be short-sighted.
You’ve been hired as a consultant by an organization not due to a breach, but because their regulator documented a finding that the organization must redefine their Incident Response Program.
1. How do you garner support for this effort if the organization disagrees with the regulator’s finding?
A good way to go about garnering support would be to call a meeting with the stakeholders. From ere you can show what the potential impact may be if they do not take the recommendations, we are giving the organization. If after you show them the potential impact, and still do not want to take the recommendation, it may be time to run up the ladder to the CIO / CSO to show the potential impact if these changes are not implemented.
Hi Gino!
Great point!
As you already know, the C-Suite is difficult to deal with. Going “over their head” to the CIO or CISO is the best way. Hell, I would start there. They may not appreciate that but will appreciate you if a disaster is averted. If so, ask for a raise!
Oy.. I must disagree Vince. Going over the head of execs. well unless it’s due to something illegal, I wouldn’t advise it. Though you and the regulator may be right you need tact and business sense. Make the change lucrative. Present it in a good light. Executives respond to numbers. You might think it’s all about money but it’s not. Reputational loss, loss of trust from clients, vendors, customers, and the public are all valid reasons to implement an incident response plan. You could sell that to key stakeholders and get buy in. I certainly wouldn’t say “you’re greedy” to your execs. You might just find yourself out of a job.
The first step would be to gather my finds/report with evidence and then arrange a meeting with all stakeholders in the company. In the presentation, i would take to them through a step by step scenario of the incident showing the exposure inline with what the regulations mandate on how incidents must be handled.
Next would be to show them the possibility of a repeat incident if the vulnerability is not fixed and the total amount of fines the organization will be liable to pay if the vuln is not fixed immediately.
For instance, Marriott was hit with $124 million and Equifax paid $575 million for its breach in 2017.
I would emphasis to them that, paying fines is far more than the cost of redefining an incident response plan. For example, in the case of Equifax, incident response plans are a fraction of the $575m fine they paid.
Finally, I would also inform them, that at times fines are reduced when an organization practices due care, for instance in this case due care would imply fixing the identified vulnerability by the regulator. However, if it’s proved that due care was not practiced after warning, the fine is much heavier hence the company pays the ultimate financial burden that at times may stifle the business financially in the short or long run.
Hi Jerry!
All great points! Staggering costs for breach and penalties involved should be on every stakeholders mind constantly. Definitely, in this era of unprecedented breaches and remediation costs, we should not have to convince anyone.
But like you said, sitting them down and walking them through a scenario shows them first hand what the organization is up against.
Love your approach. Keeping to the facts is crucial. The regulator may or may not be right but your analysis will either prove or disprove the need. for a revamp of the IRP. Translating the finding into dollars in cost savings is crucial to the c-suite. Explain to them how much an incident could actually cost if no plan was in place. Bring regulation into the fold and the legal repercussion of non-compliance. All these points are super effective.
I would propose a walkthrough and live run of the existing IRP. This effort would force visibility into the applicability of the IRP and highlight any issues that may arise during. At that point we would re-evaluate the IRP and have better visibility into the parts that are effective and the areas where improvement would be needed.
If I had to incorporate this into a project plan, I would allocate resources into doing a live simulation of an event requiring the IRP, valuation of results, valuation of impact if not revisited, present findings to management. In conjunction with the business, we would write up a new IRP incorporating the recommendations of the regulator and the findings of our own assessment.
Hi Vanessa,
This is a great take! What better way to show that something isn’t working than to show that it doesn’t work? The only thing to consider here is the potential difficulty of a live run of the existing IRP in certain environments.