Infosec teams must be allowed to fail, argues Gartner
But failing to recover from incidents is unforgivable because 'adrenalin does not scale'
Zero tolerance of failure by information security professionals is unrealistic, and makes it harder for cyber security folk to do the essential part of their job: recovering fast from inevitable attacks, according to Gartner analysts Chris Mixter and Dennis Xu.
In their keynote at the firm's Security & Risk Management Summit in Sydney, Australia, today, VP analyst Mixter and director analyst Xu argued that no amount of effort can prevent infosec incidents, and the quality of organizations' response is a more appropriate measure of an infosec team’s effectiveness than expecting they will never fail to fend off the never-ending torrent of attacks.
"Adrenalin does not scale," Xu told the event – a reference to the practice of infosec teams responding to incidents by attacking them without a rehearsed plan.
Relying on adrenaline also means the business assumes infosec teams are capable of heroic effort, motivated by the fear that cyber attacks create personal consequences of being fired or even prosecuted.
"We cannot allow this persecution mindset to persist," Xu argued. "If we do our mindset will not change."
Mindset change is needed, the pair contend, because most organizations are immature in terms of their incident response capabilities.
The two analysts therefore counselled infosec pros to work with the business, to develop recovery plans based on tolerable impacts, as doing so helps infosec teams to prioritize investments.
When incidents occur, those discussions also make it easier to explain the infosec team's response – which could include a recommendation to take down systems that have not been impacted. Such recommendations will likely generate pushback, but preparing the ground makes it easier to handle such objections.
The pair recommended extensive rehearsal for recoveries – especially for incidents caused by third parties, as they are the root cause of most cyber attacks.
Developing recovery playbooks and practising their execution will help to keep infosec teams effective – by making heroic action less necessary and by allowing cyber security practitioners to follow processes they have rehearsed.
- SolarWinds slams SEC lawsuit against it as 'unprecedented' victim blaming
- British Library begins contacting customers as Rhysida leaks data dump
- Clorox CISO flushes self after multimillion-dollar cyberattack
- Desktop GPU shipments jumped by a third – no thanks to AI PCs
Better mental health can result, they argued. And in a later session, Gartner's senior director of research – and content leader of its cyber security research team – Christine Lee did likewise.
Lee characterized burnout as a debilitating state that leaves workers unable to do their jobs – not mere tiredness. She said infosec workers can experience post-traumatic stress disorder after responding to incidents and become prone to health issues.
She therefore suggested that incident response plans must create at least two teams who work on strictly defined shifts, so that incident responders get proper rest. She also advocated for chief information security officers to be trained to detect signs of stress so they can manage incident response teams more effectively. Lee also advocated for mental health debriefs to become part of post-incident assessments.
In another conference session, senior principal analyst Alex Michaels suggested infosec teams could even consider hiring behavioral psychologists to help them understand the mental state of their staff and attackers. Doing so, he proposed, could even help orgs to overcome shortages of staff with infosec skills.
Perhaps counterintuitively, Mixter and Xu called for infosec teams to acknowledge more incidents – a conscious inversion of the "days since last incident" metric used to indicate observance of safety procedures in many industries. The analysts said that reporting even small events can see teams take pride in being able to continuously, and calmly, cope with infosec issues.
It also creates more opportunities to hone their recovery routines, which in turn means more opportunities to innovate – demonstrating that the org is constantly working to improve cyber security and is not deserving of censure when incidents emerge. ®