Crafting a cybersecurity incident response plan, step by step

ashumskiy - Fotolia

Should CISOs share the responsibility for a cybersecurity incident?

CISOs usually take the brunt of the blame when a cybersecurity incident occurs, but should they? Expert Mike O. Villegas details ways CISOs can share the responsibility.

Typically, after a data breach, organizations will place the fault on the CISO and/or the IT decision-makers in...

charge of security. A new survey from security vendor Absolute Software showed that 65% of these decision-makers said they believed they would lose their jobs in the event of a breach. Is that belief a positive, motivating factor for CISOs, or does it put too much pressure on one person? Who else should share the responsibility for a cybersecurity incident or data breach, and why?

Security is everyone's business. We have heard that message since the 1980s. The electronic data processing security manager (the equivalent title for a CISO at the time) had his work cut out for him in attempting to get IT and business units to work toward a stronger, more secure environment. Unfortunately, IT timetables, budgets, project goals and management directives won out. To meet these goals, one of the first things cut from a project plan is security controls.

Today, cybersecurity is a regulatory and compliance requirement, but the same struggle remains. The difference is technology is no longer residing in a data center with dedicated administrators and computer operators. Now, technology is ubiquitously connected around the world with remote access, and it is continuously barraged with cyberattacks from both external and internal sources. So, when a cybersecurity incident or breach occurs, it is no wonder that the CISO becomes a casualty.

How can the CISO minimize the likelihood of being a casualty in the event of a major cybersecurity incident? The key to keeping your job as a CISO is communication and demonstration of incident handling in the event of a breach or other incident that affects the company's ability to maintain proper security and mitigate risk. CISOs who perform their job duties in a vacuum and rarely speak to or teach executives about the elements of information security or incident handling will find their job tenure in jeopardy when a real incident occurs.

The CISO also needs to embed information security into the business culture. This can be accomplished in several ways, including the following:

  • establishing a strong, effective security awareness program;
  • embedding cybersecurity into the change management process;
  • embedding cybersecurity into the system development lifecycle methodology;
  • embedding cybersecurity into the software/hardware procurement process;
  • providing executive management with a state of cybersecurity report on a monthly or periodic basis;
  • giving business units a reason to applaud information security participation in their business process;
  • implementing an industry-accepted, risk-based cybersecurity framework that is comprehensive, flexible and easy to use;
  • building the skill sets of the cybersecurity staff technically, socially and in effective communication;
  • establishing an effective incident response plan that is tested at least annually; and
  • providing all employees with easy access to current and meaningful cybersecurity policies and procedures.

There is no guarantee the CISO will not be terminated after a cybersecurity incident. In fact, a July 2014 ThreatTrack Security survey reported that 74% of the 203 U.S.-based, C-level executives queried did not believe CISOs "deserve a seat at the table and should not be part of an organization's leadership team." The same survey stated that 44% of C-level executives believe CISOs "should be accountable for any organizational data breaches," thereby becoming a scapegoat.

However, if the steps above are thoughtfully deployed, CISO casualties will be greatly reduced, and security will become everyone's business again.

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

Find out what CISOs do after being fired

Learn about containing a data breach in an excerpt from Data Breach Preparation and Response

Discover whether the CISO position should be more about business or IT 

This was last published in December 2016

Dig Deeper on Information Security Incident Response-Information