Why incident response is the best cybersecurity ROI

Most organizations will suffer one or more major security incidents in which an attacker has administrative control over the IT systems that enable business processes and storing critical data, according to the Microsoft Incident Response Reference Guide.

Business leaders and IT executives aren’t expected to entirely prevent cyber attacks, but they’re expected to react immediately and manage the fallout. Poor incident response — including, but not limited to, delayed response — has caused incalculable damages and reputational harm to Yahoo, Equifax, and most recently Uber, to name a few.

Are organizations properly budgeting for incident response?

Microsoft advises individuals in the roles of CIO, CISO, general counsel, head of PR, and immediate colleagues to prepare for a crisis. And in a crisis, they should engage professional assistance for an active major incident.

Better yet, organizations should be in touch with outside experts to help budget for potential breach responses ahead of time.

Theresa Payton, a cybersecurity and intelligence operations expert and former White House CIO, is one of the top incident responders globally. She helps answer the IR budget question for CSO readers.

“In my experience, I’ve rarely seen a company stop an active incident response due to lack of budget. However, these unexpected breaches can wreak havoc on a company’s bottom line,” says Payton, now CEO at Fortalice, a cybersecurity firm based in Charlotte, N.C., with cyber operatives in Washington, D.C. and other locations.

Monty Brinton, CBS

Apparently, most organizations have built-in approval to kick off IR when they’re hacked. But it’s not clear if the budget spicket stays turned on the whole time — or if gets turned on and off, which slows down the IR.

“In some cases, the IR may take longer due to tight budgets,” says Payton. “It’s imperative that corporations of all size prioritize cybersecurity spending, including allocating funds for swift, comprehensive incident response.”

IR costs and cyber insurance

How much will an organization spend on IR for a major incident, and will cyber insurance help cover the costs?

“According to an article by Computer Weekly, companies spend an average of $89,000 per cybersecurity incident, but I’ve seen investigations cost well into the hundreds of thousands of dollars,” Payton explains. “Some of the companies we have worked with have cybersecurity liability insurance policies, but when they execute the policy, they find that the IR support is limited in scope and not a turnkey service.”

Are CISOs ready?

“The program manager responsibilities for the IR ends falling squarely on the shoulders of either the CIO or CISO even though this might be their first major incident,” Payton adds. “Imagine taking a doctor who has never worked in the trauma ER unit and putting them in charge of that high pressure situation.”

This may explain why some CISOs become ex-CISOs after a breach, capping the IR.

How intertwined is budget and IR?

“In the event of a breach, companies that aren’t prepared for an attack and don’t have a well-defined incident response plan and/or budget may end up far outspending those who do,” says Payton.

“First, it takes time to assess the issue, plan, find capable people, etc. The more time it takes to respond to an incident, the more room hackers will have to commandeer what they’d like. Second, if companies haven’t clearly defined how they will respond and who will take charge, staff will likely be taken away from their core duties, which in turn costs the company money,” she says.

Payton agrees with Microsoft’s assertion that most organizations will suffer a hack. “Candidly, companies can’t afford NOT to have an incident response plan in place. The reality we live in is that breaches are more of a ‘when’ scenario than an ‘if,'” she says.

Are the cost-per-breach estimates accurate?

“The short answer: The true costs of an incident response appears, from our point of view, to be well beyond industry statistics,” says Payton.

Cyber crime damages are expected to cost the world $6 trillion annually by 2021, up from $3 trillion in 2015, according to a report from Cybersecurity Ventures.

“Cybercrime costs include damage and destruction of data, stolen money, lost productivity, theft of intellectual property, theft of personal and financial data, embezzlement, fraud, post-attack disruption to the normal course of business, forensic investigation, restoration and deletion of hacked data and systems, and reputational harm,” states the report.

Reputational harm?

The last line item, but certainly not the least, can be a real doozy for some brands: reputation.

“Of all the major costs and risks associated with managing a security incident, the potential hit to brand and reputation and loss of customer trust could be the most damaging,” according to the Microsoft IR Guide. In the guide, an Edelman security study states “71% of global consumers said they would switch providers after a company they rarely used suffered a data breach.”

Verizon paid $350 million less than what they originally offered to buy Yahoo — arguably due to Yahoo’s poor IR, which took years to reveal all of its 3 billion user accounts were exposed.

For anyone who thinks major security incidents are reserved for major brands, think again. While the biggest companies usually make cyber crime headlines, countless organizations of all sizes and types have been hacked over the past year.

Organizations of all sizes, types should prepare to be hacked

A glance at the latest Data Breach Diary lists a slew of cyber attacks on businesses globally — as well as the negative outcomes, which include numerous class-action lawsuits against victimized corporations.

IR is a thorny topic (barely covered here) and one that every CISO and IT security pro should bone up on if they haven’t already. The best starting point is the Guide for Cybersecurity Event Recovery, published in December 2016 by National Institute of Standards and Technology (NIST).

You have to spend money to make money. If getting hacked is a foregone conclusion, then IR is the best cybersecurity ROI. Every CISO should be able to explain that to their CEO and board.

Visit SteveOnCyber.com to read all of my blogs and articles covering cybersecurity.

Follow me on Twitter @CybersecuritySF, or connect with me on LinkedIn. Send story tips, feedback and suggestions to me here.