2. How do we roll out our incident response plan?
Charles Carmakal, the strategic services CTO for FireEye Mandiant, says after the security team has initially triaged and confirmed malicious activity, it’s time for the company to put its incident response plan into motion. Typically, there's a gradual process of escalating the communication of potential security incidents up to the CISO and then the company's general counsel. The general counsel and CISO may notify other members of the executive leadership team as appropriate, depending on the scope and impact of the incident. Carmakal says these cases vary, but quite often the general counsel may only notify the CEO after the company has confirmed an intrusion took place.
Jon Oltsik, a senior principal analyst and fellow at the Enterprise Strategy Group, points out that companies should develop the ability to report breaches to authorities within 72 hours. The 72-hour response is stipulated by the EU's GDPR and the upcoming California Consumer Privacy Act, but Oltsik says it's a necessary goal even for companies not impacted by those laws.
"This is how the world is moving,” he says. "Plus, companies want to be ready with their story before the phones start ringing from the press."
Image Source: Adobe Stock: leowolfert