Gartner Blog Network


Incident Plan vs Incident Planning?

by Anton Chuvakin  |  July 23, 2013  |  7 Comments

“You MUST have an incident response plan!!!” Thus screamed plenty of security incident response guidance, including some of my own.

However, whatever happened to “no plan survives contact with the enemy” (a classic version of a quote from Helmuth von Moltke)? Aren’t plans useless because of that?

Still, if you think Sun Tzu trumps von Moltke any day of the week, then how about “the general who wins a battle makes many calculations in his temple before the battle is fought “ (quote from Sun Tzu, who also said that “the enlightened ruler lays his plans well ahead”)

The enlightened reader should be reaching this “Aha!” moment right about now: PLANS can be useless, but PLANNING is golden! A process for “laying plans” and “making calculations” is a secret of winning (well, not losing), and having a printout of your plan in hand won’t do the trick.

Security incident response planning is an activity, a process, a verb (if you must). On the other hand, a plan is a piece of paper, as useless as …eh… a security policy that is not tied to monitoring and enforcement.

Even PCI DSS, occasionally a source of useful security wisdom, has this to say about security incident response planning (Requirement 12.5.3, 12.9 and others):

“12.9 Implement an incident response plan. Be prepared to respond immediately to a system breach.”

“12.5.3 Establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations.”

(it does NOT say “download a stupid IR plan template from some shady site and then go to sleep until CNN announces a breach at your site”, in case you are wondering!)

On top of this, QSAs are told to “review documentation from a previously reported incident or alert to verify that the documented incident response plan and procedures were followed.”

By the way, PCI DSS also states that an organization must “test the plan at least annually” (Requirement 12.9.2). Even if life tests your plans more often than that (which is extremely likely nowadays), a dedicated test of response workflows and activities, especially for the types of incidents common in your industry, but not yet incurred on your organization, is an extremely worthwhile endeavor…

Finally, incident response planning is something even ostriches with their heads in the sand must do: if you make a concerted effort to avoid security monitoring (in order to avoid detecting an incident and thus incurring extra work), an incident will likely come your way anyway! After all, doesn’t Verizon breach report say that most incidents are detected by 3rd parties? Therefore, you need to plan on how you will respond to an incident that happened a year ago…

Posts related to the same research project:

Category: incident-response  policy  security  

Anton Chuvakin
Research VP and Distinguished Analyst
5+ years with Gartner
17 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio


Thoughts on Incident Plan vs Incident Planning?


  1. Alex Parkinson says:

    Hi,

    Thank you for making the point about value of plans verses planning.

    A couple of observations:
    1. Large (hierarchical) organisations often place all the value on the plan. The bigger more detailed the plan, the more valuable it is to the organisation.
    2. These organisations often view planning activity as the cost of producing a plan. Costs are minimized as much as possible.
    3. Small adaptive organisation often realise that there is little value in the plan itself.
    4. Unfortunately, these adaptive organisations often “throw the baby out with bath water”. If the plan is not useful, then the process to produce the plan is waste of time an effort.

    The value placed on plans and planning can be informitive about the organisations overall.

    Some militaries use the term “appreciation” to refer the process of assessing and understanding the possible options.

    Kind Regards,
    Alex

  2. […] plans and execute according to them. Of course all plans require backup plans and back out plans. I then read an article this morning by Anton Chuvakin on the Gartner blog about this very thing. It is about how having a Incident Response Plan is important but it’s not the plan that […]

  3. Alex, thanks for your really insightful comments. Indeed, plenty of orgs under-do planning while others over-do the plan creation.

  4. Incident Plan? Incident Planning?

    why to oppose? I’d combine both 😉

    As we all know, the key idea is 1) to think *before* and then 2) prepare as possible – 2 parts, 2 steps.

    therefore implement results [of thinking] as a response + workflow for your DLP / Incident Mgmt engine to support the what’s required right after is extremely demanded:

    1) immediate / automatic response [might be [sub] workflow as well, though]
    2) workflow to support whole investigation process as required, with 1) as a trigger for 2), if you wish [might take month(s)]

    I mean, we found very promising idea that *whole* chain

    Incident – Investigation – Measures – [measures] Execution Control*

    must be covered and supported by the *one* tool [chain]

    * KPI is a bonus

    PS here is short video at http://www.youtube.com/watch?v=pnqhAr2uUIM to illustrate Incident Management and Response/Workflow using Data Luxury Protection on the endpoints, end users view.

  5. […] ← Incident Plan vs Incident Planning? […]

  6. @valery Thanks a lot for the comment. Indeed, the “opposition” was a bit false and artificial. You do need A PLAN and you do need TO PLAN.

  7. BTW, thanks for the video link – will look at it.



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.