Sandra LambertLearn more about MES IT Security Summit speaker Sandra Lambert as she answers 10 questions from The Channel Company senior vice president of event content and strategy, Robert DeMarzo.

Sandra Lambert, CEO of Lambert & Associates, specializes in cybersecurity and business continuity consulting with clients worldwide. Prior to consulting, she was the CISO at Citibank and Security Pacific Bank, where she transformed cybersecurity from a perceived nuisance into a revenue source. Lambert served on the National Computer System Security and Privacy Advisory Board and is vice chair of the ANSI Standards X9F4 Working Group on Cybersecurity & Cryptographic Solutions. She is the founder of the Information Systems Security Association and chair of the ISSA Education Foundation. Her credentials include a Certified Information Systems Security Management Professional (CISSP-ISSMP), CGEIT, CCP and CISA.

Lambert is a keynote speaker for our upcoming Midsize Enterprise Summit: IT Security event, which takes place March 26-27 in Las Vegas. Lambert recently answered 10 questions about her keynote and the importance of an incident response plan.

You are delivering a keynote at the upcoming MES: IT Security summit on assembling a security incident response plan. Why did you pick this topic?

Every company – large, midsize, or small – needs a plan. In the past decade, the usual hacker profile has changed from “script kiddies” demonstrating their cleverness to professional thieves who are intent on generating revenue, societal disruption or political agendas. Due to cost/benefit concerns, we cannot always prevent a security breach from happening, but we can certainly respond appropriately when an event does happen. I’m passionate about response planning because it raises security awareness and brings together organizational units working toward a common goal, gaining an appreciation of how the work of individuals affects the enterprise. It’s exciting because various parts of the process can be viewed as a teambuilding exercise. Once complete, the plan gives the company a roadmap, developed in calm times, that can be followed in chaotic times.

How does a security incident response plan fit into an organization’s overall security strategy?

The plan fits naturally into the overall security strategy by aligning with the company’s risk management philosophy, providing some guidance into security as well as IT product selection, drawing data from the disaster recovery and/or business continuity planning processes, identifying key business applications, and highlighting key existing staff and/or staff recruiting requirements. As business units are doing more of their own application development, I believe that, in the future, we will be saying that the security incident response plan fits into an organization’s overall business strategy. Why? Because resilience is a business discussion, not just a technology discussion.

What is the most common mistake security leaders make in forming a plan?

Not getting senior management buy-in to support the process of developing and maintaining a plan. It is necessary to have a “champion” at the highest management (or Board of Directors) level on your side. Another mistake is assigning only IT and security staff members to the Security Incident Response Team. Many other areas of the organization should be on the team for it to achieve its greatest value for the business.

You believe that this is a plan with no end, but is a continuous process of improvement. Can you explain why?

If you do not treat the incident response plan as a living document, you may be able to pass your current audit review, but you may not be able to keep your business afloat when a security incident occurs. Why? The data in it will be unusable due to new or retired applications, staff departures, and lack of testing.

Can you discuss a few of the essential steps that are part of this plan? You know, the ones you cannot live without.

Obtain senior management buy-in so that you can fund the project. Get existing staff allocated to working on it (because it’s not likely in their job description or performance appraisal, although I claim that it legitimately must be). Define the scope of the plan. Organize the team. Test the plan.

What are the secrets for a CIO or security leader to get senior management buy-in to fund it?

It is important, from the CIO or security leader’s credibility point of view, to be straightforward that developing the plan is part of the cost of doing business, not just a one-off project that will be over and done with and stored on a file server (in the old days, we’d say “put on a shelf”). Present what positive values the plan will have to the business (e.g., favorable changes to insurance costs; documentation of existing processes that are only in the heads of key staff members - what if they leave/get sick?). Illustrate the negative effects of not having a plan (e.g., loss of customers; based on actual examples, estimate the cost of recovering from an incident with or without a plan). If you’re unsure management is 100% behind the effort, give them the option to split the project into a few phases, with a go/no-go decision point at each. This allows them to feel that they have more control over the expenditures.

Is this plan and the resources required expensive? Or are you relying on internal existing staff?

Ideally, the “heavy lifting” should be done by internal staff. They have more integral knowledge of the business, who to contact, and where to find certain necessary data. That said, experience has shown that, in small to midsize businesses, staff are fully utilized and there is no one staffer whose job is incident response planning. Therefore, an outsider guiding the process is extremely valuable because it is a visible sign of senior management’s recognition of the priority of this project. It gives greater assurance that the project will be completed and not just linger on forever (wasting resources). It’s cost-effective due to using the outsider’s proven experience rather than reinventing the wheel. I believe that the cost of using this approach, depending on the amount of work that the staff can do, is not cheap, but it is reasonable. It can become expensive if there is no staff available to assist in the process. Needless to say, any company needs to compare this project cost vs. the cost of inadequate or no response to a security incident, which can result in lost revenue, expense of containment and recovery, negative publicity, loss of goodwill, or the demise of the business. The priciest item, which is not often needed in a midsize business environment, is hiring an outside forensics investigation team to determine, if necessary, the original point of attack, the extent of the damage, and any international involvement.

Is this something that CIOs and senior IT leader could turn to partners such as IT integrators or managed security solution providers to develop?

From my experience, IT partners are helpful in working with the IT and security members of the response team to identify the infrastructure, network, operating system, application and security tools/features that are either in place or are needed to make the incident response effective. In addition, MSSP staff could be assigned as members of the incident response team (keep in mind, there would be a cost associated with this). So, there is a synergy, but I believe the development of the plan itself should be done by the business because there are many elements of the strategy, scope, team membership, and testing that are best known by the company’s staff and that are not IT related (hence, more cost-effectively handled by them).

I suppose any plan on paper looks good, but it is really putting it to the test that really matters. What’s the best way to test the plan so it adds value to the business?

Absolutely right! The best way to test the plan is to start at the lowest element and work upward, i.e., if you have determined in your plan scope that you’ve developed an “incident playbook”, test those procedures first. Then move up the chain to, for example, a notification test on a Saturday evening. None of these tests should involve production systems, so everything is safe. In essence, the testing of the plan should mirror the testing of your disaster recovery or business continuity plans since the response plan is a major part of both those plans.

What do you view as the biggest IT security threats in the midmarket this year?

Unfortunately, my crystal ball is out being polished, but I'll hazard these predictions of the 2019 biggest security threats in the midmarket: (1) Spear phishing threats will continue. Attack targets in 2018 that are still likely to be vulnerable are the real estate agency or mortgage lending businesses. (2) Malware, including ransomware, will continue, but perhaps be more targeted at certain verticals, e.g., healthcare and their supply chain companies. (Make sure your backup plan is working and tested!) (3) And last, but not least (actually it’s the most), are password (authentication) attacks – the weak link in your security armor. There are multiple ways hackers can discover your passwords, e.g., brute force attacks, installing keylogger malware, phishing attacks. Passwords have not been an effective security control for decades and 2019 may finally be the year that Multifactor Authentication (MFA) is widely implemented. MFA solutions are now easier to set up, easier to use, much less expensive, and more accessible to midsize businesses. One of your channel partners may be able to help you install a system that will greatly reduce this longstanding security threat.