The dynamic operational landscape that is created as businesses drive competitive advantage through technology renders a static risk management program ineffective. As enterprises innovate, information technology groups are challenged with revisiting the suitability of architecture, security platforms and/or software deployment to meet business-driven changes. In keeping pace with these changes, enterprises’ risk management concerns are not limited to the known internal, technological changes coming from its business efforts in order to be competitive—there is also the external environment to consider. In its 2019 State of Cybersecurity report, ISACA noted that survey respondents expect phishing, malware, and social engineering attacks to increase quantitatively.
The report goes on to say that survey respondents perceive that they are experiencing an increase in attacks. There is an indication, however, that the number of attacks may be leveling off. Whether attacks are increasing or leveling off, the concern of survey respondents is well-founded. One only needs to scan news reports to know that the reporting of a security incident is only the beginning. Long after one security incident news story has been replaced by another, an enterprise is still working through the reputational damages and other repercussions from the incident.
So, as enterprises face the internal challenge of business innovation and the external challenge of ongoing attacks, they can counter by shoring up the response programs that most enterprises already have in place. Along with disaster recovery programs (which address availability and restoration of critical IT service), business continuity programs aim to prepare an enterprise to respond to potential disruption of business processes. Rounding out this response triad is a security incident management program. Security incident management programs share with business continuity and disaster recovery the common objective of ensuring availability and restoration of IT services and critical processes. The security incident management program differs from disaster recovery and business continuity programs, however, in that it can have preventive elements as well as post-incident elements.
An example of a preventive measure that enterprises may adopt so that they can be proactive (or at least to detect and contain incidents in real-time) is threat hunting (host-based or network-based). Threat hunting also can enable the enterprise to perform analysis that can help design defenses against future incidents.
An addition to leveraging threat hunting or other measures as pre-incident tactics, enterprises can also evaluate their security incident management programs as a proactive activity to ensure that an effective foundation is in place should an incident occur. In its Security Incident Management Audit Program, ISACA assists IT auditors in their evaluations of security incident management programs. This audit program takes into consideration assurance around:
- Program design and implementation, from information security management, awareness and training, to insurance and third-party due diligence;
- Tools and technologies, inclusive of software and server and workstation configuration;
- Reporting best practices, giving consideration to the balance of incident details and potentially sensitive information;
- Lessons learned, ensuring protocols that include input from all stakeholders.
Opportunities for enterprises to gain competitive advantage through technology exist and enterprises are converting those opportunities into realities. Included in that reality is the need for dynamic business continuity, disaster recovery, and security incident management programs. In particular, a security incident management program's preventive as well as detective elements can help enterprises navigate business innovation and potential security issues.