Why security and privacy teams fail when they don’t integrate their incident response

Can your cybersecurity team quickly coordinate with your privacy team for incident response? If your company is like most, the answer is no. 

Typically, security teams operate in a silo, contacting the privacy team only when they understand that an incident involves privacy concerns. But that means people who aren’t legal experts are making legal judgments. 

For example, when alerted to a company laptop infected with malware, your security team quickly acts to contain and assess the damage, investigate who and what is responsible, and remediate system vulnerabilities. They may not think to alert your privacy team, however, and that oversight may compromise your regulatory and contractual obligations.

When the security team does contact privacy, the process may involve tedious back-and-forth to gather all the necessary details. That confusion erodes the time margin for notifying regulators and customers, and if you don’t meet those notification deadlines, you may face penalties or lawsuits from regulators, customers, and shareholders. In the case of a mega breach, litigation could last for years. Poor response also raises the risk of snowballing consequences, including customer churn, lost productivity, and brand damage.

How security teams prepare for privacy incident management

Even if you hire a seasoned Chief Information Security Officer (CISO) or train your security team on legal ramifications, neither will prepare them to identify every possible type of privacy incident they may come across. Again — they’re not legal experts. You can’t expect them to anticipate every concern your privacy team might have. 

Security’s focus on swift defense against cyber-attacks means team members excel in streamlined, technically-oriented operations. Privacy’s strength lies in their attention to complex legal and contractual matters. Integrating security’s operational know-how with privacy’s policy expertise takes privacy incident management to a whole new level of efficiency. With a system that breaks down silos and facilitates efficient collaboration and communication, you can reduce your company’s risk of running afoul of regulators and contract obligations.

Create integrated response playbooks

Our last post covers the benefits of creating playbooks that identify the teams and actionable steps to address potential incidents. Since some incidents call for action by both security and privacy, the associated playbooks would detail what their integrated response would look like.

For example, an integrated response playbook that covers an insider threat scenario where an employee is outsourcing their job without permission would include security tasks such as locking the employee’s computer and checking its logs to review all risky activities. The playbook would also stipulate contacting the privacy team and include information they’re likely to ask for, such as which customer accounts the employee handled.

In another example, a ransomware-specific playbook would explain what to do if the attack affects an entire network of systems versus a single computer. Security would launch their response, but since attackers often exfiltrate customer or other sensitive data and then extort the affected company, privacy should be looped in quickly. Additionally, cyber insurance policies detail specific steps you must follow to make a claim. Without an integrated response, you might miss notification deadlines or botch the insurance process.

Build a smooth, integrated response via tabletops

Tabletop exercises allow all the teams included in an incident response playbook — such as communications, HR, privacy, security, or senior executives — to practice coordinated incident response scenarios. Try to assemble all the relevant teams to go through their various responsibilities at least once a year. If you find it difficult to regularly schedule time for all those staff members to practice together, you may try having your security and privacy teams do smaller, discrete exercises more frequently based on specific scenarios your organization is likely to encounter. This is likely to be a useful practice regardless to cover the breadth of events likely to occur.

The frequency that you hold tabletops depends on the number of scenarios your company is likely to face and how much time teams can feasibly devote.  Teams need to know what information they need to gather and what decisions they need to make during a real incident. It’s important that they practice realistic scenarios regularly so they work together smoothly when an incident occurs. 

Refine integrated response through technology

Technology can help security teams develop integrated responses with other teams by mapping data types to regulations. That way, security teams can understand quickly whether an incident involves legal work or if it sits solely under their jurisdiction. You can help your teams stay on the same page by using software that:

• Creates and updates actionable incident response playbooks 
• Simplifies complex logic within action plans and streamlines workflows by letting team members know when to do which tasks 
• Assigns team members specific tasks within appropriate timeframes 
• Facilitates incident simulations and tabletop exercises
• Facilitates cross-functional processes using built-in collaboration tools
• Tracks and reports on response efficiency, so teams can analyze and improve their integrated response

Shameless plug: Platforms such as BreachRx can help security teams quickly get up to speed on coordinating with privacy and other teams. One prospective customer and their GC recently commented that the platform is great for privacy and security. We completely agree! 

With an integrated incident response, your organization can meet regulatory and contractual deadlines more efficiently because everyone knows their role and exactly how they’ll respond to privacy incidents before they ever happen. That preparation enables your privacy and security teams to fulfill their common mission — protecting your organization.