The development of incident response, be it in the origins of Computer Emergency Response Teams or the modern equivalent provided by the growing number of commercial breach response companies, has tended to focus on two key factors - both of which I think are a little short-sighted.
We saw these challenges when setting up ReSecure and set about, over 4 years ago, to address them with a different approach. So what are these two issues?
Issue A: The Blinkered Approach
As a cynic, I believe that most organisations have a lot to do internally before they can truly say that Information Technology is part of their business DNA. I hold that most government and commercial organisations tend to diverge into two primary camps; and when I say camps I mean people as well as processes:
Camp 1: Front Office - Executives, Business Development, Marketing, Corp Comms, Legal/Contracts and a few others.
Camp 2: Back Office - Accounts, IT, Facilities, Audit, HR (although senior HR like to be in Camp 1).
So, how does this affect Cyber Incident Response? Well, two types of specialist suppliers have developed, both with a vested interest; and customer contacts, in each camp. These are:
Legal Advisors/Breach Coaches who tend to consider the best way to resolve situations for their clients is to deal with the legal/regulatory aspects. The IT piece is important but this can be dealt with by internal or external teams and as legal experts with limited IT knowledge the technical information provided had better be right! and;
Technical Solutions Providers such as Computer Forensics or Pen Testing Consultancies and also specialist security software vendors who tend to see the world as a technical challenge where all that matters is finding the evidence of misuse (or accident) and recovering systems to BAU. Legal issues and potential regulatory impact feature as subordinate importance to the technical challenges!
Both responder camps have absolutely legitimate approaches and, if professionally managed, should considerably reduce the impact of a data breach for the affected client.
However, these approaches are far from optimised and they are also missing the integration (and I mean integration not association) of two other key specialisms; crisis PR and surge notification/credit monitoring. In order to provide a solution and to deliver optimum and complete cyber incident & breach response we have worked hard with ReSecure to build a truly integrated team of both legal and technical specialists as well as crisis PR and surge notification and credit monitoring experts. ReSecure is not just a panel of providers, It is a truly single team of expertise who exercise together around a common incident response framework and standard operating procedures. In this way we bring to those who suffer cyber breaches and other types of security and business continuity incident a tried-and-tested solution to minimising the short, mid and long term impact on their organisation.
Issue B: The Psuedo-Global Capability
Some providers of cyber incident & breach response services; essentially those large, single organisations including accountancies and IT systems integrators, claim to bring to their clients a truly global capability to deal with any breaches, regardless of where they may occur. It is true that these considerable service organisations have an impressive global footprint of local and regional offices. However, they also rarely have the legal, technical and other vital skilled personnel in those offices, preferring instead to locate these staff in one or two major business hubs and then fly them to where their clients need them most. So it is perhaps a contradiction at best to claim global capability when the responders a client may need may be thousands of miles away and frantically learning the local law and investigatory regulations as they speed towards the point of need at business class rates!
Again, with ReSecure we tackled a clients need for local cyber response by taking the time to onboard regional and local legal and technical experts, all vetted to a high standard and with in-depth knowledge of local jurisdictional law and regulations and contact networks that could be brought immediately to bear in the truly rapid assistance of a client in need. The ReSecure network of associates now reaches to 12 countries and provides effective regional support for all the continents of the world.
ReSecure is always going to be a work-in-progress as we develop to address our clients needs in the most responsive and sensitive way. Our approach is different but designed to put the client first when effective response to a cyber breach really matters.