Handling a corporate security breach is likely to be one of the most intense moments of your security career. In this day and age, it is an accepted truth that all organizations will be breached at some point - what is important is how YOU handle it.
You are going to have your deductive skills tested to the limit; security breaches happen through the places you were not looking. If you are lucky, you will be able to infer what happened through the remaining audit artifacts on your network.
Survival Tip #1:
Be prepared to spend some quality time with your executive management team. During a security breach, you will find so many higher-up people who previously were merely names on your company's Organisational Chart become imminently real.
If your experience at the job has been something like to sitting quietly at your desk doing 'your thing', then the moment an incident happens, you are going to see more people from the Executive Leadership of your company than you ever imagined.
AND they are going to require fast and decisive answers from you, and trust me, it will drive you crazy, because you are an engineer and the unknowns always outweigh the knowns. Welcome to their world - you will be asked to make decisive, quick assessments of the information you have available and you will be held accountable for them afterwards.
Another thing that will happen is that you will perceive everything that you've spent your time on amount to NOTHING, you will rant and rave to yourself (and all YOUR listeners) that this is just the proof you should quit and find another job. Well, take some solace in the realization that-- things may have been much worse without the work you rendered. It is not the fact that a security breach occurred, it is the scale of the breach that matters.
Remember that the business of your company will endure, for better or worse. Realize that the truth of what you saw will never see the light of day - it will be spun into an acceptable story and you will be bound by law to keep the secrets of someone else's failure; you accepted that eventuality when you took a job in Information Security. The real trick is to survive the process with your sanity intact.
Survival Tip #2:
It is not the time for believing or telling that "I could have prevented this," that time has come and gone. Your job is now to discover and document *HOW* this happened - but not your interpretation of *why* this happened. It is also not the time to invoke all your "I Told You So!" instincts.
Establish and document the timeline of events. Your first responsibility and perhaps the most important one at this moment. You will be needed to create a complete and detailed timeline.
A complete blow-by-blow timeline of how everything happened within your network is the primary information your command chain needs from you. This information is what is required for legal, PR, and the board members - it should be the primary deliverable that all other workflow is derived around. Most importantly, this is what will most effectively keep the management monkey off your back.
Survival Tip #3:
Don't succumb to the endless requests for hourly updates - it can impact productivity. People will be expecting to receive constant updated status from you, but don't let this updating too often get in the way of work. Give yourself and your analysts time-n-space to do actual analysis
Just think that if at first you may want to do hourly status calls, but realize that a 15 minute conference call every hour is just robbing 25% of your productivity in doing actual forensics work and interrupting the flow of something that requires extensive lengths of focus to achieve.
Do not be afraid to push back and give yourself time to report more accurate findings - make it clear that you can either deliver inaccurate information now, or accurate information in another hour from now.Ultimately, your job is to enable informed executive decisions at this point, so clearly set expectations that this is your goal.
Survival Tip #4:
Keep calm, don't panic, and don't take things too personally. Things are going to get a little crazy, requests become orders and all niceties fall to the wayside. In times of crisis, sanity becomes more important than pleasantries.
Once an experienced pro share this--
"A friend and co-worker during a security breach we worked on together, asked me once it was over if I thought he had permanently offended people on the team for his tactic of handing out orders to people in a very demanding, terse manner throughout the event. In fact, his no-nonsense approach of delegating requests to people that were most suited for the job, with his implicit understanding of what was within the realm of deliverable possibility, became a beacon of sanity as events unfolded."
Studies have shown that people would rather work with unfriendly, competent people, than unfriendly, incompetent people.
This effect becomes more pronounced during times of crisis; do not worry about offending people by not being nice to them, worry about not adding to the insanity. Inevitably, you are going to end up making some judgment calls that may be above your station and tasking people that you normally would have no authority over, on the understanding you'll answer for it later on if needed. As long as you make this clear at the time, any reasonable person should support you on this.
Once again, times of crisis bring out people's true natures - it is going to be an inevitable by-product that you will know more about yourself and your co-workers after the event than you ever did before.
Survival Tip #5:
It's okay to ask for help and support, you've been through hell and back. As the long hours and sleepless nights count up, remember that there is an end; eventually you will have discovered all there is to discover; Executive Management will have all the information they require to do their job and life will return to the 'New Normal' once more.
If public disclosure of your security breach is required, know that it is a double-edged sword - you may well experience great release in knowing that the truth is finally out there, but you must come to terms beforehand that the PR spin engine will be operating at full pace and you will be under a mountain of non-disclosure.
People working in Information Security generally tend to be self-reliant types and the idea of using support resources outside of your own network of friends and family may seem alien, even repellant to you. Still don't underestimate the value of having someone you can legally discuss things with.
-
Manage the stress, try not to say anything you can never take back and realize that you're going to come out of this with experience that you can't learn in any lab, nor any simulated exercise.
Lastly remember--
What does not kill me, makes me stronger."
- Friedrich Nietzsche, Twilight of the Idols
Guys, I didn't tell you about dealing with a security breach in a technical sense or a legal sense; I told you about maintaining your mental health and career prospects during one.
--
What is your opinion and thoughts about this set of survival tips when a security breach/incident happens?
Please leave me your valuable thoughts or views in the comment section.
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
30,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM