A Goal Without A Plan Is Just A Wish

Uploaded on 2024-02-22 in TECHNOLOGY--Resilience, FREE TO VIEW

We can all agree that if two buildings are on fire, the building that has taken steps to reduce the ability of the fire to spread, has fire marshalls, evacuation plans and a sprinkler system which are all regularly tested is likely to be less damaged than the one without any of these.

Additionally, we can also agree that the longer the fire is burning, the more damage it causes.

The same can be said in the realm of cyber security (and now we have research to back it up). IBM’s 2023 Cost of a Data Breach Report tells us that investing in a robust incident response (IR) strategy is key to limiting damage from a breach and can reduce costs by up to a third. The report also found that the most effective IR strategy for reducing the period that the ‘cyber fire’ is burning was to combine formation and testing. This led to a decrease of 19.4% in the time taken to identify and contain a breach, saving organisations, on average, over $1m.

So we should know (both through IBM’s cyber research and common sense) the importance of not only having a well-baked IR plan, but one that is tested thoroughly and regularly. Yet do we actually do this? 

Plans Need To Be Tested

On the subject of whether a goal without an IR plan is just a wish, the common sense and wisdom of Antoine de Saint-Exupéry can teach us a lot (in life as well as cyber security). 

“A goal without a plan is just a wish,” whilst originating from a children's book author (and pilot), is very solid advice. So how do we move from wishes, to plans, to goals? It is very easy in our industry to develop something akin to “IR-plan envy.” We look around and see other people’s advanced IR plans and their incredible level of management buy-in and funding. 

However, for organisations without an IR plan or reviewing an existing one, there is plenty of useful guidance included in the ISO/IEC Standard 27035. What makes IR plans and processes special is their cyclical nature. Rather than being a linear process that is completed, they are a feedback loop of continuous improvement.

This is why starting can appear to be the hardest part but is also the most essential. It is also why testing them is so vital. 

Only by going through drills will organisations discover whether there are any opportunities for improvement in their execution of the plan and, in a more fundamental sense, if it is even likely to work. Things like communication gaps, outdated procedures, team members unsure of their responsibilities and technology issues can all be identified in a safe environment of testing. 

Testing can not only highlight unclear roles within the IR team and wider organisation but also provides an opportunity to build trust and understanding between areas of the business that may not regularly interact. 

Implementing and regularly testing a cyclical incident response plan can also serve to combat the toxic elements of finger pointing and blame. Where organisations can leave behind notions of “passing”, “failing” or “blaming” and move towards a culture of improving processes, culture and security can improve dramatically. 

A Final Word On Regulations & Compliance 

It is at this point that some authors may throw in the scary Boogie Man of ‘Regulations’ and ‘Compliance’ to ensure that you agree with and participate in the points made so far. A “Now go ‘do brilliant incident response’ or the regulator will get you” approach. 

Whilst regulator interaction is beyond the scope of this article it is worth noting that a well-defined IR plan with evidence of regular testing and improvement forms a fantastic vehicle for communicating the security posture of an organisation to regulators and stakeholders alike. 

In its simplest sense it says, “we care enough about our stakeholders to take this seriously that we operate from a position of realism as opposed to blind optimism.” We have plans for if things fail rather than just failing to have plans. 
 
Introduction of new regulations, such as those introduced by the Securities and Exchange Commission (SEC) in December 2023, are often presented in the media as introducing an unwelcome level of scrutiny when they could equally as easily be viewed as an opportunity to promote openness and trust between stakeholders, regulators and organisations. 

Through the practice of implementing and maintaining an IR plan, communication with regulators can become more refined (and ironically less likely to be required).

If your goal is a robust information security programme and you don’t have an incident response plan that you are regularly testing, what you actually have is an “information security wish.” If this is your organisation, now is the time to take that first step. It does not need to be perfect but it does need to be. 

Chris Denbigh-White is CSO at Next DLP 

Image: cottonbro studio 

You Might Aso Read: 

The Duality of Cybersecurity:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

 

« Managed Security Services In The Age of Advanced Threat Intelligence 
US Navy Will Use Data Analytics For Maritime Security »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Concise Technologies

Concise Technologies

Concise Technologies provide specialist IT and telecoms solutions, support services, managed backup, disaster recovery, cyber security and consultancy to SME businesses across the UK and Europe.

Copper Horse Solutions

Copper Horse Solutions

Copper Horse specialises in mobile and IoT security, engineering solutions throughout the product lifecycle from requirements to product security investigations.

Lynx Software Technologies

Lynx Software Technologies

Lynx provide secure software and operating systems for use in mission critical applications such as aerospace, medical, transportation and IoT.

Compass Security

Compass Security

Compass Security is a specialist IT Security consultancy firm based in Switzerland. Services include pentesting, security assessments, digital forensics and security training.

SecuDrive

SecuDrive

SecuDrive, provides hardware encrypted external storage devices to protect a company’s sensitive and important data.

Calian Group

Calian Group

Calian is a diverse Canadian company offering professional services in areas including Advanced Technologies, Health, Learning and IT & Cyber Solutions.

ComCERT

ComCERT

ComCERT SA is an independent, private consulting company focusing in the assistance of its customers facing the dangers of cyber threats and security incidents.

MENAInfoSecurity

MENAInfoSecurity

MENAInfoSecurity is a regional leader in information security solutions, assurance services and managed services.

Axonius

Axonius

Axonius is the only solution that offers a unified view of all assets and their coverage, empowering customers to take action to enforce their organization’s security policies.

FAIR Institute

FAIR Institute

The FAIR Institute is a non-profit professional organization dedicated to advancing the discipline of measuring and managing information risk.

HancomWITH

HancomWITH

Hancomwith is an information security company. We provide optimized blockchain solutions in areas including next-generation authentication, security and digital asset transaction.

Wizard Cyber

Wizard Cyber

At Wizard Cyber, we simplify cyber security, delivering an advanced service that protects your high-risk assets from the complex threats that technology alone can miss, 24/7.

ABCsolutions

ABCsolutions

ABCsolutions is dedicated to assisting businesses and professionals achieve compliance with federal anti-money laundering regulations in an intelligent and pragmatic way.

Beyon Cyber

Beyon Cyber

Beyon Cyber offer a complete portfolio of advanced solutions & services for cyber security in Bahrain.

Odaseva

Odaseva

Odaseva delivers the strongest data security solution for enterprises running on Salesforce, safeguarding confidentiality and integrity of critical business information.

Amtivo Ireland

Amtivo Ireland

Amtivo Ireland (formerly Certification Europe and EQA) offers a range of certifications and related services.