Security Experts:

Get Security and Business Teams Aligned by Assuming You've Been Hacked

Security Organizations and Businesses Must Plan and Prepare for Information Security Incidents and Breaches Together as One Team

Operating with the assumption that you’ve already been hacked makes security incident response planning a priority for the organization. Security professionals know that, but it is not a perspective shared by the business. Business leaders aim to avoid negative news, make business as frictionless as possible and spend as little as possible on security. Telling them that a hack is a matter of “when” not “if” could be a career-endangering conversation.

Yet, for all the resources spent on security ($86.5 billion worldwide in 2017 according to Gartner), we are constantly reminded that users are the weakest link and privileged users pose a significant threat. Security incidents and breaches continue to make headlines, and criminals are constantly evolving their attack methods. Even independent businesses are finding themselves in the line of fire for nation-state attacks. Only the most myopic would think it can’t happen to them.

Getting business leaders to think from the mindset of “already hacked” starts with a conversation that can then lead to a path of increased alignment with security priorities. Assuming that you are already hacked will not only require involvement from your security team, but active participation from business partners as well. Consider these approaches together with your business partners.

Plan and train for the initial incident and breach response

In my years as a U.S. naval officer, I spent more time training to fight fires than I did training to launch missiles. That’s because the most likely threat to a warship at sea is fire – either accidental or caused by battle damage. Every person serving on a naval vessel is trained in damage control tools and procedures, even the officers.


Strategic Planning

Similarly, security organizations and businesses need to plan and prepare for information security incidents and breaches together as one team.


Breaches will occur at different severity levels, and increases in severity should result in escalating levels of resources needed to respond. For example, an incident of criminal activity that does not affect customers may not require executive participation. But if your business becomes front-page news, the brand management team and the CEO may need to create statements for the press, craft compensation plans for victims and communicate to shareholders.


Like the Pentagon has its “OpPlans” for various scenarios, such as responding to an invasion of South Korea by North Korea, these plans must be written, tested and trained against regularly. Many organizations use a “red team” for penetration testing, which can be completed by an internal team, outsourced to a third party or orchestrated through a bug bounty program. Even your auditors can provide scenarios. As they find vulnerabilities and weaknesses, incorporating their findings into an exercise can add realism to your tests.


These are tasks best performed without the pressure of an incident hanging over your head. And these exercises can give your business a new appreciation for what can happen, helping executives get a better sense of what security teams are up against when making the case for additional resources.


Plan and train for remediation 

While good security teams already have procedures in place to remediate a breach, such as patching systems or recovering from backups, there are more than the technical tasks to consider. Legislation, such as GDPR, may require very specific timelines for notifying those whose personally identifiable information has been stolen. Attorneys may have to prepare to defend against lawsuits. Criminal forensics need to be gathered before evidence is destroyed by restoring from a backup, and shared with the appropriate authorities.

The business is also the source for prioritizing service restoration. If you have multiple services impacted, say by ransomware, how do you know which ones to restore first? The business should have business impact analysis (BIA) documents that must guide these decisions. Don’t wait for an incident to understand where these documents are kept and translate them into something usable for the security team.

Perhaps even worse than a lack of incident response planning is a presumption that you’ve arrived from a security perspective. That you are invulnerable to the types of attacks that others are experiencing. Get comfortable – get hacked. The business needs to understand that the threat environment is constantly evolving and no matter how strong the security may be, it’s essential to prepare for the inevitable day when a breach occurs that demands executive attention. When it happens, instead of clashing over perceived priorities, CEOs can walk into the boardroom with a plan and security can mitigate the effects. 

view counter
Travis Greene, Identity Solutions Strategist at Micro Focus, possesses a blend of IT operations and security experience, process design, organizational leadership and technical skills. After a 10-year career as a US Naval Officer, he started in IT as a Data Center Manager for a hosting company. In early 2002, Travis joined a Managed Service Provider as the leader of the service level and continuous improvement team. Today, Travis conducts research with NetIQ customers, industry analysts, and partners to understand current Identity and Access Management challenges, with a focus on provisioning, governance and user activity monitoring solutions. Travis is Expert Certified in ITIL and holds a BS in Computer Science from the US Naval Academy.