It’s not if, it’s when. That’s how a Massachusetts Technology Leadership Council panel of security experts talked about the potential for security breaches in the cloud. That inevitability might be one of the reasons why enterprise CIOs are still reluctant (though less so than they used to be) to head to the cloud, a luxury small and mid-sized businesses simply cannot afford. The good news for those in charge of SMB IT: There are ways to diligently prepare for a sneak attack that can help mitigate the potential damage.
In this SearchCIO small business IT tip, Nick (aka Rattle) Levay, CSO at security provider Bit9 in Waltham, Mass.; Chris Ray, chief information security officer for targeted marketing firm Epsilon; and Chris Wysopal, co-founder and CTO at Software as a Service security provider Veracode, address the question: “How do you prepare your company to respond to a breach?” Here are their pointers:
Reach out to business teams, law enforcement and security trainers
Chris Ray: Make sure you have other departments involved up front [such as] legal and corporate communications. Have a preexisting relationship with external law enforcement, consult with them. … I’m also a firm believer that if you don’t have a large team, leverage someone else and do not take this all upon yourself. There are plenty of companies out there that have forensic retainer services. Get that in place [because] when something happens, you don’t want to be scrambling around trying to get a contract signed. Have someone available. And when you do a retainer-type service, they’ll offer so many hours of free training to help you in your program. Having that in place is, by far, one of the most important things to make sure you do.
Visualize worst case scenarios
Nick Levay: I understand that a lot of small organizations can’t do a full written response plan, but as someone whose responsibility it is to do security, you should spend some time working through some of your worst-case scenarios and doing mental preparations. That’s because at any given point, you could come into work one day and find out it just turned into the worst day in your career. At that time, it’s going to be important to senior management that you are calm and in control. If you can do that, all of those interactions with executives, help desk, the legal department … all of that stuff gets easier if you can convey calm and control. The only way you can do that is by working through worst-case scenarios in your head.
Organize drills to provide hands-on experience
Chris Wysopal: One of the things we do, and we do this quarterly, are “table top exercises.” So we all get into the board room — the security team, people from IT, people from corporate communications, the corporate council — and come up with the different scenarios that could potentially happen. Usually it’s about a two- to three-hour exercise, and the person leading rolls out the information you’re discovering. I guess it helps if you play Dungeons & Dragons. It’s been very helpful for us when we’ve had incidents that just resulted in downtime that could have been a security incident but turned out to be some sort of human error. Having those processes in place so people know to get together and work through it is invaluable.
Get to know the business
Levay: If you’re in charge of security and response for a company, you have to understand the business. If you are a pure technical person and you only understand the technical infrastructure and you don’t understand how the business works, it’s going to be hard to run a security response. That’s one of the things about practicing security that makes it so intellectually challenging when you really get to the management levels: You need to understand the business really well. Not necessarily as well as the CEO or the CFO does, but you need to understand the business mechanics: where the money flows, where the crown jewels are, how the groups interact with each other. Otherwise, you’re not going to be able to make informed decisions.