A good manager does not “freak out” when an employee presents bad news…sometimes really bad news.
Don’t shoot the messenger — or else the remaining messengers learn to sugarcoat, skew, or filter the information and their communicated opinions and recommendations.
We’re all in this together; let’s start by assuming the good intentions of our fellow employees and then address the problems as a team.
Emphasis in red added by me.
Brian Wood, VP Marketing
Some IT security pros would lie to CEO about cyberattack
The survey respondents were reacting to a scenario posed by the Ponemon Institute: “We asked participants in this study what they would do if their company had a cyberattack and the CEO and board of directors wanted a briefing on what happened and how it will affect operations. The meeting is called so soon after the incident that they are not able to have all the facts.”
Two-thirds of respondents admitted that their chief information security officer would probably water down the cyberattack report due to fear of the reaction from the CEO and board.
“This is a big problem. As a security guy you are hit with a lot of things, and some things are more important than others. If the intelligence doesn’t allow you to prioritize, this means you are spending too much time trying to figure out what you are dealing with,” Larry Ponemon, founder and chairman of the Ponemon Institute, tells FierceITSecurity.
A full 80 percent of respondents said the most important aspect of incident response is the ability to quickly detect cyber threats, and 72 percent said it is the ability to obtain high quality forensic evidence about cyberthreats.
“I consider this the yin and yang of good security: the ability to do something quickly, but to do it based on intelligence that is accurate and actionable. What we often see is that either things take too long or the response is fast but not based on good quality intelligence, and you end up making choices,” concludes Ponemon.
Ponemon and AccessData Study Reveals Majority of Organizations Unable to Effectively Respond to and Resolve a Cyber-Attack
AccessData, the leader in incident resolution solutions, and the Ponemon Institute today released new findings focused on the current state of incident response and threat intelligence and how both can be improved to better benefit organizations. The report, Threat Intelligence & Incident Response: A Study of U.S. & EMEA Organizations, sponsored by AccessData, surveyed 1,083 CISOs and security technicians in the United States and EMEA about how their company handles the immediate aftermath of a cyber-attack and what would help their teams more successfully detect and remediate these events.
Startling findings show that the lack of incident detection and investigation puts companies and their CISOs’ jobs at significant risk. In fact, when a CEO and Board of Directors asks a security team for a briefing immediately following an incident, 65% of respondents believe that the briefing would be purposefully modified, filtered or watered down. Additionally, 78% of respondents believe most CISOs would make a “best effort guess” based on limited information, and they would also take action prematurely and report that the problem had been resolved without this actually being the case.
This alarming disconnect results from several critical shortcomings in the current point solution approach to cybersecurity and incident response (IR), namely:
- Lack of timely compromise detection: 86% of respondents say detection of a cyber-attack takes too long;
- Inability of point solutions to prioritize alerts as they come in: 85% say they suffer from a lack of prioritization of incidents;
- Lack of integration between point solutions: 74% say poor or no integration between security products negatively affects response capabilities; and
- An overwhelming number of alerts paralyzing IR efforts: 61% say too many alerts from too many point solutions also hinders investigations.
“When a cyber-attack happens, immediate reaction is needed in the minutes that follow, not hours or days,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. “It’s readily clear from the survey that IR processes need to incorporate powerful, intuitive technology that helps teams act quickly, effectively and with key evidence so their companies’ and clients’ time, resources and money are not lost in the immediate aftermath of the event.”
Further, the respondents also shared growing concerns about the inability to find the root cause of a compromise. While 66% of respondents believe determining root cause of prior incidents enables them to strengthen defenses, 38% of respondents say determining the root cause of a compromise could take a year while an alarming 41% believe they would never be able to identify the root-cause of security events with certainty.
Lastly, integrated threat intelligence – a hugely promising approach to arming CISOs with the latest indicators of compromise (IOC) information and ability to confirm threats – appears to be largely unusable by current security products, with a full 59% of respondents saying they are not able to efficiently and effectively use threat intelligence with their existing security products.
“Today, companies focus primarily on the protective aspect of their information security,” said Craig Carpenter, Chief Cybersecurity Strategist at AccessData. “While protection is obviously important, this research reinforces the critical need for organizations to invest in automated IR technology integrating security, forensics and eDiscovery solutions to facilitate not just incident response, but incident detection, investigation and resolution. CISOs are clearly saying their disparate tool sets are not keeping up with the threats they face. What they need is an incident resolution platform that doesn’t just integrate alerts from myriad point solutions, but makes intelligence actionable and automates significant portions of the IR process, allowing them to focus on the most pressing incidents.”
Additional key findings revealed that current security products make it difficult to import multiple threat intelligence feeds or quickly investigate mobile devices:
- 40% say none of their security products support imported threat intelligence from other sources
- 86% rate the investigation of mobile devices as difficult
- 54% say they are not able to or unsure of how to locate sensitive data such as trade secrets and personally identifiable information (PII) on mobile devices