The Politics of Getting Hacked

Published 06 April 08 02:07 AM | Rafal Los 

    It's the words that keep IT Security Managers up at night - "We have a problem, I think we've been hacked".  Of course, there are few possible responses...

  • Acknowledge Responsibly - You can acknowledge what has happened, open an investigation, and communicate with the public and your customers.  While this may be initially bad PR, in the end it shows responsibility and maturity of process and management
  • Acknowledge Irresponsibly - You can acknowledge the issue but attempt a campaign of mis-direction and cover-up.  Redirect blame to partners, vendors and even former employees, release mis-leading information about the magnitude of the issue and do not publicly investigate the breach.
  • Bury It - Re-direct blame, issue no statements or official information

    The problem is this - you know which you want to do, but which option will your lawyers allow you to take?  There are many IT Security departments which are run more by the company legal counsel than the IT Security manager or CISO.  Why is this you may ask?  Lack of planning and initiative.  If a CISO has no strategic, pre-planned response plan for that dark day - the lawyers will more often than not take over and try and guide the company out of trouble (and in the process create a bigger problem).  Responsible breach disclosure isn't easy to plan for, and if executed poorly will potentially cause a catastrophic end.  This game isn't for the faint of heart.

    The purpose here isn't to poke at the legal counsels, in fact, they're entirely necessary and should be your allies.  They should not; however, run your crisis management process.  Crisis management should be left up to those who are trained for it, and not to the CEOs, the lawyers, or the PR department.  Litigation should be a component of your crisis-management process but if you lose control of the situation as the "security" function - you're in for a rough ride.

    As the title of this entry suggests, there is a political component to every "incident" that must be carefully navigated.  Leave room in your response strategy (crisis management process) for all those previously mentioned folks to do their part - but make sure you understand that you have to control the situation.  You're only going to accomplish any semblance of control by planning in advance, working your plan through the ranks, and making sure you have buy-in long before the call comes.  This is really a case of failing to plan means planning to fail.

    Politics is a dirty business, but unfortunately you cannot escape it, even in IT Security management.  Remember, make allies, plan ahead, and get buy in and you'll weather the storm.  Otherwise... I need to tell you a story about 3 envelopes... 

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

No Comments

Leave a Comment

(required) 
(optional)
(required)