The latest security threat to reach mass notoriety - the Heartbleed SSL vulnerability – has caught the attention of businesses, media and Internet users across the world. And for good reason. Real identities and real data on a large scale are at risk. In our fast-paced, data-centric digital culture security risks are inevitable, but by and large the crisis plans and reaction times have been surprisingly slow. We're finally approaching a tipping point where security will reach top of mind. In fact, many experts already expect an increase in security spending this year and beyond.
The security industry's move toward accepting that threats and incidents will occur despite best efforts for prevention further heightens the importance of preparation. The response to a threat, and subsequent time to resolution, has become more important than preventing the threat outright - if only because the latter is near impossible.
In the face of a threat like the Heartbleed SSL vulnerability, a few key areas come to mind where preparation can help businesses prevent tons of scrambling and question marks when future threats crop up.
There have been many reports of a cybersecurity skills shortage. Finding good talent in the near and long term will be crucial to organizations, particularly those with sensitive data on hand. Employing security experts allows you to determine how serious the problem is for your business.
What most businesses need to know right away is if the threat is affecting every customer or employee, or if it is affecting just a sub-set. What about geographies, regulations and international efforts? Answering these questions requires a thorough, proactive inventory of all systems and architectures so you can quickly patch the right technology. Pairing great talent with great process facilitates speed-to-decision-making, which increases profits and decreases losses, putting a staunch in the bleeding before too much damage can occur.
The threat landscape is continuously evolving as hackers adapt to technology and vice versa. Employees who are active in forums and industry discussions have a finger on the pulse of the industry. Additionally, in the face of a breaking threat like Heartbleed, many of the best insights are gained from security peers through these forums in real-time. Ensuring your security experts already participate in these discussions can prove to be invaluable.
Developing a communications plan in advance, working in conjunction with PR, legal, sales, executives and others deemed integral to the process, is something we don't see enough of. We've all heard the joke about “this information is given out on a need-to-know basis,” and in this situation, it's worth thinking through in advance who really needs to know, when they (or others) will need to know, and the triggering mechanism(s) to make it all happen. You should also develop the basis for pre-written, pre-approved communications so you're not scrambling at the last minute. This is vital because your sales people cannot answer questions about security with the same confidence as your internal experts or CISO. Setting the sales team up for success with solid process allows them to keep customers calm in the face of the storm.
Remember, it's not only the immediate loss of sales, customer dissatisfaction and angered shareholders that are at stake, either - it's also your future reputation. The words an organization uses (and to whom those words are spoken) could mean revenue walking in or out of the front door of the business. Being prepared with a crisis plan will go a long way towards saving time, money, frustration, sales and reputations – both the business' and your own. Remember, the next crisis is coming. Do something about it now.