I went to a casino recently with some friends, and watched play at the roulette table for a while. It was really interesting, to see the mindsets of the different people playing. Some were consistent with their play, playing corner bets, where you place your bet on a corner between four numbers. Some others were betting small amounts on individual numbers which held importance to them. Others bet the “safer” bets of red/black, even/odd, or high/low.
What interested me were the people who were wildly inconsistent with their bets. They’d increase their bets after losing a few times in a row, because they must be “due”. The bettors reasoned with themselves that since their number hasn’t come up yet, it will soon.
The House Always Wins
Of course, that’s not the way the odds work. The house always wins because the odds are the same whether you’ve won or lost the last 5 spins. The odds are skewed in the house’s favor, and this behavior is what makes casinos such wonderful money makers.
To me, information security is a lot like gambling. You can gamble on the fact that you won’t have a breach. You can gamble on the fact that your data will be safe. But the house always wins. Eventually, your luck will run out when the chips are down. And you don’t want to be the one walking home empty-handed.
A report published this month by the Ponemon institute had two very interesting survey questions in it.
- In the past 24 months, how many security incidents or breaches did your organization experience?
- Do you anticipate that your organization will experience a material security breach sometime in the near future?
The funny thing to me is that almost the same number of respondents believed that the past was an indicator of the future. 32% responded that they had experienced no breaches. And 31% – almost the same number – responded that they did not anticipate a future security breach.
This is the same kind of thinking that gets people in trouble at the roulette table. It will also get them in trouble in their information security program.
Preparation is the Key
As mentioned in the subtitle of this article, the question is no longer if you will suffer a security incident or breach, but when. Over two thirds of the organizations surveyed in the Ponemon study have experienced a security incident within the last two years. They happen all the time. And you’re likely to be next.
Being prepared for a security incident is a part of minimum viable security. If you don’t have a plan of action for the day you find out you’ve been breached, you won’t have time to develop one. There is only time to put the existing plan into action.
Security incident preparedness at its core must include a process which addresses:
- The investigation process flow, including escalation to appropriate parties (especially management and legal), and defining responsibilities for individuals or or positions.
- An ability to collect and organize information about the incident, to prevent it from tampering or loss as the investigation continues.
- An ability to report information about the incident to affected parties both internally and externally.
Ultimately, the goal of your incident response process will be to learn the cause of the incident, and what mitigating controls you can put in place to prevent a similar incident in the future.
Incident response preparedness is something every organization should be addressing. If you’re not sure where to begin, I invite you to contact us for a brief, no-obligation consultation about preparing for security incidents. Be prepared, rather than hoping that your luck continues to hold out.