In the wake of major disasters, companies often retrench to their board rooms and ask questions about the state of their own resilience. These questions follow one of two tracks: First is a retrospective post-mortem of their own company, or preferably an affected competitor. It starts with a question like, “How would we be affected or react if this happened to us?”
In the wake of the Equifax consumer data breach, many of the stories in the past days share well-articulated insights that are nonetheless written with that full 20/20 hindsight in play. There even is evidence that Equifax itself took this path two years ago in the wake of the Experian data breach. While well-intentioned, this hindsight-driven approach is fundamentally flawed.
When penning an article or responding to a board question post-mortem, we are afforded luxuries that our disaster-distressed selves would not be afforded in a real scenario. For example, compare your mental state now versus in a true disaster – the shock and suddenness (then) vs. the quiet reflectiveness (now). One of the greatest underestimations of post-mortems is the effect of imperfect and often conflicting information during a live, unfolding crisis. To illustrate this, consider the following three fictitiously timed statements:
If your blood pressure progressively elevated from “slight nuisance” to “we may lose our company,” then you’re likely in good company with Equifax’s executives as they gleaned more information about the incident from the initial discovery until today. It is much easier to think about your actions for Day 0 when you know what Day 20 looks like, but we almost never do.
Anyone who has read a post-mortem report, though, will attest that it is unlikely that the report captures the nuances of timing and progressive urgency. Instead, the report highlights the diseased final state and what the company should have done to protect itself in the first place, often forgetting about all the other possible infections that could be acquired.
So, if studying Equifax and gleaning lessons learned, even in light of the little we know, is an easy but relatively unproductive sport for our own resilience, what is the alternative?
The second track is the one that we advocate for in our trainings with executives and boards. This track makes a much more natural supposition about the state of risk in cyber security. Instead of assuming perfect hindsight about random one-off events, let’s instead suppose that Equifax treated cyber risk much the way weather risk is accounted for by a large farming cooperative. Our assumptions regarding cyber threats would instantly shift from being unknown and one-off to mitigatable risks.
Figure 1—Cyber risk is an influencer to traditional enterprise risk categories
Farmers understand that crops are their most important assets. They understand and monitor any threats, from weather to insects to hungry predators that might affect those crop assets. They also know the vulnerabilities that their particular crops, in their particular locations, have compared to those of other farmers in other locations, and they have people at the ready to mitigate the impact to their farms, should disaster strike.
The Equifax breach will likely change many upcoming boardroom agendas and spur more communications about cyber breaches among senior executives. Executives, security professionals, and the public at large should then take this opportunity to think about what their most important crops are, what true vulnerabilities exist in them, and learn better how to mitigate against those risks.
Amjed Saffarini, CEO of CyberVista
[ISACA Now Blog]