Lately, I’ve been noticing some vile examples of treating information security incidents in the same way as IT “issues.”
Think about it: “my PC is slow today” vs “my $800 million wind turbine schematics are stolen today” … these are TOTALLY the same and should be handled by the same people in the same way.
People, what kind of stuff are you smoking? This is totally and certifiably crazy!
One example comes from a recent conversation with somebody who said that the sole focus of his security IR program is to “restore IT service.” So, if the attackers steal all his payment data, employee data, deploy bots [well-written ones, that don’t disrupt his IT service], change corporate records, snoop on their executives’ private messages, etc, etc, etc , his “incident responders” won’t even get out of bed. Seriously? However, if a user reports that something (probably malware) opens too many windows, and that interferes with work, they will perform their “reimage and restore” magic.
In any case, I am shocked that I have to explain it, but let me still try:
- For those who like to preach the “security and business alignment” theme, think of security IR as responding to a “business incident,” not an IT issue.
- For those stuck in compliance-land, think of a data breach. Does it reduce your IT service? Probably not. Will it affect your organization? Oh, yes. Therefore, response becomes essential.
- For those ITIL lovers, keep loving it. Just don’t confuse the word “incident” in ITIL with a security incident. This is “lead pipe vs lead guitar” all over again…
- For those with LEO thinking, think of security incidents as … computer crimes. Some are and many aren’t, but *crime* is not thought of as an IT problem.
Now, I am not advocating more silos and walls between IT and infosec (well, sometimes you do need walls – think rogue sysadmin investigations). IT helpdesk often serves as a useful “intrusion detection system” that can reveal anomalies to a security team. Similarly, remediation activities will involve opening tickets, engaging with system administrators, making system changes, etc. Collaboration and cooperation though is NOT the same as equality.
The difference between IT issue resolution and security incident response is HUGE and UNAMBIGUOUS. Keep that in mind!
Posts related to the same research project:
- Top-shelf Incident Response vs Barely There Incident Response
- On SANS Forensics Survey
- Incident Plan vs Incident Planning?
- On Importance of Incident Response
- Is That An Incident In Your Pocket – Or Are You Just Happy to See Me?
- Time-tested Incident Response Wisdom?
- Incident Response: The Death of a Straight Line
- Alert-driven vs Exploration-driven Security Analysis
- My Next Research Area: Incident Response
- All posts tagged security incident response
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.