The importance of practice in estimating costs: Quantifying the costs of an incident in advance is an inexact art greatly aided by tabletop exercises. “The best way in my mind to flush all of this out is by going through a regular incident response tabletop exercise,” Gary Brickhouse, CISO at GuidePoint Security, tells CSO. “People know their roles so that when it does happen, you’re prepared.”It also helps to develop an incident response (IR) plan and practice it frequently. “I highly recommend having an incident response plan that exists on paper,” Draeger says. “I mean literal paper so that when your entire network explodes, you still have a list of phone numbers and contacts and something to get you started.”Not only does the incident response plan lead to better cost estimates, but it will also lead to a quicker return of network functions. “Practice, practice, practice,” Draeger says. “Absolutely practice every step of your incident response plan and whatever your critical processes are. Be able to run manually. Be able to run on paper. If it requires that a form is printed out, have a stash of them somewhere. Whatever you need to do to run without your network until you can get your network up, have that system already in place.”Stephen Boyer, founder and chief innovation officer of Bitsight, tells CSO that one big handicap CISOs face is the lack of a common method for calculating incident costs. CISOs can rely on various risk management models to calculate the expected costs of some variables that make up breach costs, including the widely used Fair Institute methodology or the Monte Carlo Simulation, to name two of the most frequently used methods.”But, there’s not a universally accepted standard for measuring and predicting the losses,” Boyer says. Miscalculating the costs can significantly damage a CISO’s reputation or even lead to job loss. “If something comes back and we have an annual expected loss of $50 million, maybe it’s $54 million, maybe it’s $48 million. But if then something comes back and you have a loss of $60 million, it’s like, ‘Hey Steven, you’re an idiot.’””The average lifespan of a CISO is around 18 to 24 months, which is not what I want for a member of my executive team,” Draeger says, speaking of the potential fallout for CISOs. “We have seen CISOs being used as something of a scapegoat, which shows a fundamental lack of understanding of how to use these people well.”
Be proactive in communicating incident costs: After developing the breach cost estimates, CISOs benefit from communicating them to the board and other leaders as soon as possible, ideally well before an incident occurs. “Proactivity is better than reactivity,” according to Boyer.”Let’s say I’ve not been hit with a ransomware attack,” he says. “There’s been no business email compromise, but I know it’s only a matter of time before these things will happen. Do I have to develop all this in advance and give it to the board or the C-suite, or do I wait and have it already and then give it to them? Is it incumbent on them to be proactive now before anything happens? I believe that you almost always want to be proactive.”Proactively informing the board and leadership also helps spread the risk. “If you want to do any amount of risk transfer, which is insurance, you’re going to have to go through this exercise anyway because you’re going to need to decide how much coverage you want,” Boyer says.Brickhouse advises CISOs to establish “cadence and communication” with top management and the board before something happens. He also suggests that CISOs should reach out to top management and the board to take advantage of the timing of highly noteworthy cybersecurity incidents.”We always talk about never letting a good headline go to waste,” he tells CSO. “Never let a good crisis go to waste. And so, when you see other organizations with data breaches, [tell the board], ‘Hey, this company, it just cost them $4 million.’ That’s a great opportunity to go in front of your board and talk about what’s happening in the industry right now. You can say we just saw a company, and maybe if it was in your same industry, they had this issue; this is how it happened and how much it cost. Oh, by the way, if this were to happen here, here’s what we’re thinking about.”The bottom line for Brickhouse: “There is definitely something to be said about building that rapport with the board and talking about it in that context before ever having your own incident.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3844334/the-breach-cost-how-much-how-cisos-can-talk-effectively-about-the-toll-of-a-cyber-incident.html
