A new breach readiness survey found that far too many companies are dragging their feet to establish formal incident response plans.
The survey, published by RSA on Tuesday, compared the responses of 170 security practitioners in 30 countries, with feedback from members of the Security for Business Innovation Council (SBIC), which served as a “best practices benchmark” for the study. The SBIC consists of security execs from Global 1000 companies, like General Electric Global CISO Timothy McKnight, Johnson & Johnson Worldwide VP of Information Security Marene Alison and JP Morgan Chase CIO for Commercial Banking Anish Bhimani.
Unsurprisingly, all 12 members of the SBIC who participated in the survey, including McKnight, Alison and Bhimani, said that their companies had formal incident response plans (IRPs) in place. Within the larger pool of non-SBIC respondents, however, 30 percent said they did not have such plans implemented – and among those who did, 57 percent admitted to never updating or reviewing their IRPs.
In the report (PDF), “incident response” is defined as a “comprehensive, premeditated approach to protecting applications, data and information infrastructure from cyber attacks.”
“Process, people, procedures and technologies are core elements of a thoughtful incident response plan,” the report continued. “Incident response planning is dynamic. Enterprises that fail to evaluate incident response plans against new threats expose their systems, data and infrastructure to attack.”
The survey measured breach readiness through four major areas: incident response, content intelligence, analytical intelligence and threat intelligence. Of note, another major gap between SBIC's respondents and answers representing the industry “at-large,” was in the threat intelligence category. When asked if their organization augmented internal threat intelligence with data from external sources, all of the SBIC respondents said that they did. Only 43 percent of the industry at-large said the same, however.