Sunday, July 15, 2012

No Day at the Beach: The Rationale for Breach Practice

Here in the Northern hemisphere, where approximately 90% of SGSB readers reside, it's summer.  In Europe (pre financial crisis Europe, anyway), it's time to throttle back and head for the beach. In the US and other parts of the world where long breaks are less common, beach time remains, for most, a scarce commodity.

Certainly with record heat waves driving air conditioning use way up, energy workers need to be on their toes, not dipping their toes in ponds, lakes or oceans.

Because I subscribe to Mckinsey & Company's Quarterly cybersecurity newsletter, I had the good fortune to come across this article yesterday: "Playing war games to prepare for a cyberattack".

We've talked on this blog before about the need for resilience, as in THIS POST from earliest 2012 citing statements on the subject from PJM CEO Terry Boston.

To me, awareness and acknowledgement that you have endured successful attacks, are being attacked or at least scrutinized right now, and will come under increasingly heavy and varied fire in the future, is a key indictor of whether your organization is reality based ... or not.

If your company is reality based, and you've haven't been running practice breaches yet, now's a good time to start, and the Mckinsey piece gives you a framework for getting started.

I won't pull any citations from it, though it's full of goodness. But rather, leave you with this sharp comment from UK-based reader:
In this still-nascent area of corporate risk and reputational vulnerability, the understanding of precisely who has responsibility for what should the worst happen isn’t good enough. We need new governance structures to provide more robust ownership, and in the interest of all stakeholders (customers, staff, shareholders, suppliers etc), we need a better reporting framework to ensure rhat public confidence in our most important IT and network-reliant brands is maintained.
Ah yes, the need for better security governance and better structures. Nothing like an actual impactful data or systems breach, or the realistic trial of dealing with one, to show you you're not organized to deal with it the way you'd want to be. 

Practice might not make perfect, but it can only serve to improve your understanding of the challenges, and may give you the fodder you've got to have to drive the changes you need.

Now, where's the suntan lotion?

Tilted Photo credit: ToddonFlickr